Skip to content

Security

Laureano F. Lamonega edited this page Jul 17, 2026 · 1 revision

Security

XSS Prevention

The template engine auto-escapes {{ }} output using htmlspecialchars() with ENT_QUOTES and UTF-8 encoding. Only {{{ }}} emits raw, trusted HTML.

When writing native PHP views, always escape user-facing data:

<?= e($user->name) ?>

SQL Injection Prevention

Prepared Statements

All query values use PDO prepared statements with ? placeholders:

DB::table('users')->where('email', 'user@example.com')->get();
// SQL: SELECT * FROM users WHERE email = ?

Identifier Whitelist

Column and table names passed to where(), orWhere(), join(), orderBy(), groupBy(), having(), increment(), and decrement() are validated against a strict whitelist:

^[a-zA-Z_][a-zA-Z0-9_]*(?:\.[a-zA-Z_][a-zA-Z0-9_]*)*$

Only developer-controlled values should be passed to select() and aggregate functions — they are not validated.

CSRF Protection

  • Token stored server-side in the session
  • Timing-safe comparison via hash_equals()
  • Middleware returns HTTP 419 on mismatch
  • Safe methods (GET, HEAD, OPTIONS) pass through

See Sessions & CSRF for details.

Response Security Headers

The framework sends these headers by default:

X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN

Validation

Controller validation returns only validated fields — no raw input leaks through. The 8 built-in rules cover common cases:

Rule Description
required Field must be present and non-empty
email Must be a valid email address
min:N Minimum length (string) or value (number)
max:N Maximum length (string) or value (number)
in:v1,v2 Must be one of the listed values
numeric Must be numeric
alpha Must contain only letters
alpha_num Must contain only letters and numbers

Clone this wiki locally