Security

PHsPeed has been designed to be safe for different kind of possible attacks. However, that doesn't mean that there will never be any vulnerabilities. If you think you have found one, then please don't publish it directly on our forum or open media. Instead, inform us, so we have the time to investigate and fix. If possible create a movie showing the way you have hacked the application. A good movie can tell more than a thousand words. Send your issues to hack@phspeed.com.

Besides vulnerabilities in our runtime code, there is always a chance that you have issues in your own code, or libraries you might have included into the code. So if you find issues, then please investigate if the issues are related to PHsPeed, or outside of that.

PHsPeed makes use of PDO. All statements, including queries, are prepared so that SQL injection cannot take place. However, if you use your own code, then you are advised to follow the same approach. Avoid queries that introduce SQL injection issues. Always uses parametrized queries. Example:

    $app->main_dbquery_1->SetQuery('select * from phsp_user where userid=:username and userpsw=:password');
    $app->main_dbquery_1->StringFieldByName(':username',$app->main_edit_1->value);
    $app->main_dbquery_1->StringFieldByName(':password',$app->main_edit_2->value);
    $result=$app->main_dbquery_1->SimpleOpen(true);

PHsPeed generated applications also have additional protection against XSS injection. I.e., if a database already contains an injection script then PHsPeed will display this as valid data, not as javascript. Thus the script will be displayed, but not executed. All input data is escaped by default.

PHsPeed defaults generate code to prevent CSRF attacks. But this code is only generated when you create a PHP application containing a form, and you must have enabled it by setting the 'usecsrf' property to 'true' (which is default).

PHsPeed by default will not allow calling runnable modules from the browser. In general, a PHP application can only run when called from another PHP application. It's up to the developer to 'unlock' applications. By default, PHsPeed will unlock 'main.php' which is considered to be your first application. You can always change that behavior, but it is generally a good idea not to let your sub-applications be called directly from the URL.

PHsPeed saves global data in the $_SESSION space. No data is transferred between PHP applications using HTML variables.

PHsPeed uses the $_GET space to pass security tokens. The reason is that not every page needs to have a form. These tokens are bound to a certain application and use. Changing them, or using a refresh, will cause an invalidation error which will automatically log you out and brings you back to the main application.