zsp/everything-claude-code
1
0
Fork 0
mirror of https://github.com/affaan-m/everything-claude-code.git synced 2026-03-31 06:03:29 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
dba4c462c468caa711d4064b99f2552fd95f722c
everything-claude-code/rules/php/security.md
Affaan Mustafa ed366bddbb feat: add php rule pack
2026-03-10 21:10:26 -07:00

1.3 KiB
Raw Blame History

paths
paths
**/*.php
**/composer.lock
**/composer.json

PHP Security

This file extends common/security.md with PHP specific content.

Input and Output

  • Validate request input at the framework boundary (FormRequest, Symfony Validator, or explicit DTO validation).
  • Escape output in templates by default; treat raw HTML rendering as an exception that must be justified.
  • Never trust query params, cookies, headers, or uploaded file metadata without validation.

Database Safety

  • Use prepared statements (PDO, Doctrine, Eloquent query builder) for all dynamic queries.
  • Avoid string-building SQL in controllers/views.
  • Scope ORM mass-assignment carefully and whitelist writable fields.

Secrets and Dependencies

  • Load secrets from environment variables or a secret manager, never from committed config files.
  • Run composer audit in CI and review new package maintainer trust before adding dependencies.
  • Pin major versions deliberately and remove abandoned packages quickly.

Auth and Session Safety

  • Use password_hash() / password_verify() for password storage.
  • Regenerate session identifiers after authentication and privilege changes.
  • Enforce CSRF protection on state-changing web requests.
Reference in New Issue View Git Blame Copy Permalink