security

Security

PHsPeed contains a lot of measures to be as safe as possible. However, that doesn't mean that there will never be any vulnerabilities. If you think you have found one, then please don't publish it directly on our forum or open media. Instead, inform us, so we have the time to investigate and fix it. If possible create a movie showing the way you have hacked the application. A good movie can tell more than a thousand words. Send your issues to security@phspeed.com.

Besides vulnerabilities in our runtime code, there is always a chance that you have issues in your own code, or libraries you might have included in the code. So if you find issues, then please investigate if the issues are related to PHsPeed, or outside of that.

A PHsPeed project can contain a lot of different PHP modules. However, there is only one 'main' application, usually a login page. PHsPeed by default will not allow calling runnable modules from the browser and will redirect to your defined main application. Thus a PHP application can only run when it is called from another PHP application. It's up to the developer to 'unlock' applications. By default, PHsPeed will unlock 'main.php' which is considered to be your first application. You can always change that behavior, but it is generally a good idea not to let your sub-applications be called directly from the URL.

Calling other PHP modules require passing data between them. In general, this is done by $_get and $_post variables or the session space. All links to other applications will be encrypted to protect against hacking.

Of course, the above does not apply to Rest servers, these need to be able to 'listen' to everybody. Security headers and other measures are depending on the developer requirements.

If applicable, you can add a role-based access module to your application. It allows controlling access of users to the application and what they are allowed to do in regards to database access. It is possible to define the authorization structure that users can enter a certain module, but are not allowed to delete, or can just read data.

PHsPeed makes use of PDO. All statements, including queries, are prepared so that SQL injection cannot take place. However, if you use your own code, then you are advised to follow the same approach. Avoid queries that introduce SQL injection issues. Always uses parameterized queries. Example:

    $app->main_dbquery_1->SetQuery('select * from phsp_user where userid=:username and userpsw=:password');
    $app->main_dbquery_1->StringFieldByName(':username',$app->main_edit_1->value);
    $app->main_dbquery_1->StringFieldByName(':password',$app->main_edit_2->value);
    $result=$app->main_dbquery_1->SimpleOpen(true);

PHsPeed generated applications also have additional protection against XSS injection. I.e., if a database already contains an injection script then PHsPeed will display this as valid data, not as javascript. Thus the script will be displayed, but not executed. All input data is escaped by default.

PHsPeed defaults generate code to prevent CSRF attacks. But this code is only generated when you create a PHP application containing a form, and you must have enabled it by setting the 'usecsrf' property to 'true' (which is default).

PHsPeed by default will not allow calling runnable modules from the browser. In general, a PHP application can only run when called from another PHP application. It's up to the developer to 'unlock' applications. By default, PHsPeed will unlock 'main.php' which is considered to be your first application. You can always change that behavior, but it is generally a good idea not to let your sub-applications be called directly from the URL.

PHsPeed saves global data in the $_SESSION space. No data is transferred between PHP applications using HTML variables.