Security Precautions

A number of security precautions have been taken in the ZN Framework. Some security methods have been developed to protect against form attacks and to be attacked via URLs.  


# Section Headings

# Form
# Database
# Request
# Session & Cookie
# Security Library


# URL Security

It is possible to specify which characters are to be isolated during data transmission via URL. The following config file has the necessary configuration settings. You can add the characters you want blocked to the urlChangeChars array below .

File: Settings / Security.php
'urlChangeChars' =>
    '<'  => '',
    '>'  => '',
    "'"  => '',
    '"'  => '',
    ':[' => 'badrequest'

The characters specified in the above configuration file will be automatically isolated by the system. This allows you to specify which character to send via the URL. 

The following is an example of a submission with an injection via a sample URL.

Example: 'or 1 = 1
echo URI::get('id');
Output: 1 or 1 = 1

Notice that the tick (') sign is isolated.


# Form Security

Form security is based on the manipulation of post and get data from forms. There are several libraries in the ZN so that you can secure form security. Use the Method :: get () and Method :: post () methods created for ZN instead of retrieving the data from the forms with the classic globals such as $ _POST and $ _GET . These methods will isolate HTML- encoded characters from posts .

Method::post('secure', '<script>alert(1)<script>');
echo Method::post('secure');
Output: < script > alert ( 1 ) ; < script >

As you can see, HTML characters are converted. This library presents the data coming from ArcAFIA through a certain security filter.


# Database Security

The ZN Framework's Database library puts a number of security measures into its internal structure. There are no injection defects in ZN-structured queries. However, if plain queries are written, then users need to take some security precautions. This information has been passed on to the use of the relevant Database library. However, it is useful to give a simple example to the guest.

Secure Query

DB::where('column', $data)->get('table')->result();

In the above method, the $ data parameter is passed through the injection safe. 

DB::secure(['x:' => $data])
  ->query('SELECT * FROM table WHERE column = x:')->result();

Now $ data passes through the required security filter. And our question has become a more secure query.

Unsafe Query

DB::query('SELECT  * FROM table WHERE column = ' . $data)->result();

There is no security control in the above method. You can make it safe this way.

INT Conversion ( ZN >= 4.2.6 )

The values ​​for the columns that need to receive numeric values, such as ID , are valid for the specified version and later in use to translate into Int type as follows. For this, parameter 1 is used in the form int: column .

echo DB::where('int:id', 'test')->getString('ExampleTable');
SELECT * FROM ExampleTable WHERE id = 0

As you can see in the output, int: the value coming to the front column is converted to the number even if it is not numeric.


# Request Security

If you add the following code to the header of the page that the ajax sender sends in Ajax requests, you have disabled the invalid AJAX request.

if( Http::isAjax() === false )

You can use.

Also invalid URL via GET , POST has a configuration file to prevent submissions.

Version: ( ZN >= 4.2.5 )
File: Config/Routing.php
'invalidRequest' =>
    'control'    => true,
    'page'       => '',
    'allowPages' => []

The above adjustment prevents these requests. You can specify the pages that you do not want to be blocked as exceptions with the allowPages setting. You can specify a valid controller / function path in the page setting to do page redirection to avoid errors when an invalid request occurs .'control' => true


# Session Cookies and Security

Keys holding session and cookie data are encrypted by default. The configuration settings for this topic are contained in the Config/Routing.php file. Extra security is provided as the Session ID value is changed every time the pages are refreshed . Session and cookie values ​​can be encrypted if desired. See Session and Cookie usage on this topic .