When developing our web and mobile projects one of the many things we have to think about is safety, that is why with a framework you can give a more consistent and secure way of developing applications.
Below, we will discuss some of the benefits it can bring to our team by using a framework to build our own tool.
Being a framework a base platform that is designed to be used in a wide range of projects, safety is an important factor and a high range of commonly required protection is already implemented.
Being a framework used by thousands of people, also this translates into thousands of people testing the code and finding faults and constantly improving it. By building a platform for ourselves, only us would be the ones testing the security flaws and would not be reported by anyone, and could be used against us.
Building a secure platform is a demanding task so using a framework saves us a great deal and we take part of concern regarding the security issue, allowing us to spend our time developing our technology or business, not in security.
As flaws are found, new ways to attack the sites or vulnerabilities, we can ensure that we will receive updates of our platform..
In Rootstack is common practice working with frameworks. Some tips on how we protect ourselves from some of the most common attacks.
One of the most common attacks on websites. The platforms that use Drupal and Symfony usually have protection against this:
Drupal provides a set of functions to access the database, the canonical form of this is the function db_query.
The function db_query allows parameterized queries, these functions perform a replacement of placeholders with the arguments properly escaped by the order in which they appear.
Example:
[prism:css] db_query("SELECT n.nid FROM {node} n WHERE n.nid > %d", $nid); db_query("SELECT n.nid FROM {node} n WHERE n.type = '%s'", $type); db_query("SELECT n.nid FROM {node} n WHERE n.nid > %d AND n.type = '%s'", $nid, $type); db_query("SELECT n.nid FROM {node} n WHERE n.type = '%s' AND n.nid > %d", $type, $nid); [/prism:css]
New features in Drupal also allows use a PDO of PHP and send an array of arguments
[prism:css] db_query("SELECT t.s FROM {table} t WHERE t.field IN (:users)", array(':users' => $from_user)); [/prism:css]
O
[prism:css] $result = db_select('table', 't') ->fields('t', array('s')) ->condition('t.field', $from_user, 'IN') ->execute(); [/prism:css]
Symfony uses ORM for PHP call Doctrine, what doctrine does is making a map of the structure in the database and PHP objects in addition to serving as a Database abstraction layer.
With Doctrine is possible to make "prepared statements", This is a two-step process in which separate query parameters, thus the parameters are properly escaped by the ORM.
Examples of these consultations:
[prism:css] // SQL Prepared Statements: Positional $sql = "SELECT * FROM users WHERE username = ?"; $stmt = $connection->prepare($sql); $stmt->bindValue(1, $_GET['username']); $stmt->execute();
// SQL Prepared Statements: Named $sql = "SELECT * FROM users WHERE username = :user"; $stmt = $connection->prepare($sql); $stmt->bindValue("user", $_GET['username']); $stmt->execute(); [/prism:css]
The attacks of Cross-site request forgery (CSRF) is a process where an application is made to a site that causes an action when a user was not really trying to make a longline action.
With Drupal, protecting our site from an CSRF attack is done easily.
In Drupal there is an API called Form API, this API is used to build forms. This gives us protection against CSRF tokens added automatically, specially when the form is generated.
Symfony contains a security component that can be used for protection of CSRF attacks. Symfony component uses when generating a provider tokens in form, which can be specified.
[prism:css]
app/config/security.ymlsecurity:
...firewalls:
secured_area:
# ...
form_login:
# ...
csrf_token_generator: security.csrf.token_manager[/prism:css]
The above example specifies a token generator for the login form. Now we have to add the token to the form itself:
[prism:css] {# src/AppBundle/Resources/views/Security/login.html.twig #}
{# ... #}
{# ... the login fields #} login[/prism:css]
These are some very specific cases on how these platforms can help us with the security of our code in our projects.
However there are many more tools within these two platforms we can use in our projects.
Drupal has a Security Team which has a number of responsibilities within the community and platform:
In addition, Drupal provides a set of APIs and tools to keep the code safe
More info about it in:
The main tools are within the Symfony security components.
To mention some of the ones we use are: