phpClick
Home Credits Demo Documentation Download FAQ

Documentation > Security Implementation

Security Implementation

Since phpClick will be used to create many individual web applications security is a very important concern. Although the current version takes first steps, phpClick's code is by far not up-to-speed with current security standards.

Do not use the current version in a production environment!

Version 1.0 will be the first version thoroughly tested for potential security vulnerabilities and recommended for production.

Protection from SQL injection

In the current code base, we use input escaping whereever we construct SQL statements with parameters that come from user input. However, we may have overlooked some.

Protection from Code injection

Since phpClick is a code generator that creates and executes PHP code, one of the biggest risks is that a malicious user injects PHP code into a constructed page to spy passwords, etc. We have started to filter user input for PHP tags but not yet finished this process.

For future versions of phpClick we want to use code sandboxing, perhaps using PHP's safe-mode, the open_basedir directive etc. in order to sandbox individual applications within their own directories. Currently this is not the case.

Database sandboxing

Each web application constructed with phpClick has its own MySQL database, MySQL user-ID, and MySQL password in order to introduce a layer of data sandboxing. Furthermore, this will enable users to have custom PHP code running on a different server that may work with the data contained in the MySQL database of phpClick (if anybody wants to do that).

More importantly, in the near future we plan to support user-defined PHP code that can be inserted into the code generator as well as a code-view feature that lets the developer see the code (including the own MySQL user-ID and password).

 


http://phpclick.sourceforge.net/
Last modified: September 16, 2004