Shield, A Security-Minded PHP Microframework
github.comIt seems that Chris is just introducing this project to the community. Maybe there are flaws, I admit that I'm not the best one to judge that. But to focus on those flaws seems to miss the point.
Chris is trying to build a PHP framework where security is the prime consideration. To my knowledge, a project like this doesn't exist already. This is an open source project, and by Chris's own admission, a learning experience. This is an opportunity for the PHP community to have a discussion that is centered around the best way to solve the myriad of security issues that plague PHP frameworks and applications. The knowledge and experience generated from this project can be used to the benefit of other frameworks and applications in the PHP ecosystem.
I applaud Chris from undertaking this effort to challenge and improve his knowledge of web application security in a public way so that others may benefit from his experiences.
And shame on those who are trying to kill this project with negativity and condescension before it even starts.
While I'm not a PHP fan, I sincerely wish the average web developer were more security conscious and so I applaud the effort here. Having been the grouchy security guy on more projects than I can remember, I can attest that it's a thankless and tiresome job. The better you do, the less it will be appreciated.
> Filter values based on filter types (supported are: email, striptags)
Striptags is not a security tool, it is a presentation tool.
> Output filtering on all values (preventing XSS)
I'm still trying to figure out how you've implemented this.
Here is the escaping :
https://github.com/enygma/shieldframework/blob/master/Shield...
at this line :
$value = htmlspecialchars($value);
That could do with being mentioned in the README, a large part of the problem with PHP is developers not knowing what method to use to sanitise strings. After seeing striptags mentioned explicitly, I expected the worst.
He used DES for session security.
That's the worst.
Before anyone else brings it up, there are some issues with the session handler function. I'm working on a write-up and pull-request for them to fix the broken cryptography used there.
That's the least of the problems here.
Not every library can be saved.
I think it is possible to fix the DES thing without tearing the rest down...
Yes, let's all use a security framework by a guy who thinks DES is a good choice, and who openly admits that this is a learning experience for him, this security framework he's giving to others.
Clearly, if after it's pointed out that DES is a bad idea he still doesn't know why, but he also refuses to fix it or take it down, the rest of this should be trusted too.
Where did he refuse to fix it? I'm confused. I've talked with him directly, and we're in progress on a complete fix for that issue (the cryptography issues in the session class)...