-
Notifications
You must be signed in to change notification settings - Fork 0
Security
Laureano F. Lamonega edited this page Jul 17, 2026
·
1 revision
The template engine auto-escapes {{ }} output using htmlspecialchars() with ENT_QUOTES and UTF-8 encoding. Only {{{ }}} emits raw, trusted HTML.
When writing native PHP views, always escape user-facing data:
<?= e($user->name) ?>All query values use PDO prepared statements with ? placeholders:
DB::table('users')->where('email', 'user@example.com')->get();
// SQL: SELECT * FROM users WHERE email = ?
Column and table names passed to where(), orWhere(), join(), orderBy(), groupBy(), having(), increment(), and decrement() are validated against a strict whitelist:
^[a-zA-Z_][a-zA-Z0-9_]*(?:\.[a-zA-Z_][a-zA-Z0-9_]*)*$Only developer-controlled values should be passed to select() and aggregate functions — they are not validated.
- Token stored server-side in the session
- Timing-safe comparison via
hash_equals() - Middleware returns HTTP 419 on mismatch
- Safe methods (GET, HEAD, OPTIONS) pass through
See Sessions & CSRF for details.
The framework sends these headers by default:
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Controller validation returns only validated fields — no raw input leaks through. The 8 built-in rules cover common cases:
| Rule | Description |
|---|---|
required |
Field must be present and non-empty |
email |
Must be a valid email address |
min:N |
Minimum length (string) or value (number) |
max:N |
Maximum length (string) or value (number) |
in:v1,v2 |
Must be one of the listed values |
numeric |
Must be numeric |
alpha |
Must contain only letters |
alpha_num |
Must contain only letters and numbers |