Preventing SQL Injection in PHP

sql_injection

SQL Injection is a vulnerability that allows an attacker to insert or inject a SQL query into an application. Injection is number one vulnerability on the OWASP Top Ten list for 2013. Common ways to exploit this vulnerability is to add a SQL statement into a form element or by sending POST/GET requests with the query using known parameters. The risk of SQL injection is loss or compromise of critical or sensitive data. more…




Override Symfony 2 Form Element Twig Template

It is possible to change the way a form element is rendered in a Symfony 2 project by overriding the Twig template. You can do this on a per-form basis by including the form element’s block right in your view, or you can make the change application-wide. more…


Define a Symfony 2 Form as a Service

Register a form as a service in Symfony 2

If you use the Symfony 2 form builder and create your form types as classes then you may already know that you can define those form types as services and call them in your controller. That process is well documented in the The Book, and works very well. I have an alternative solution more…


Adding an AJAX Login Form to a Symfony Project

Adding an AJAX powered login form to a Symfony 2 project is pretty simple, but there are a few things to cover. The first is that the Symfony firewall handles authentication by sending a form to the route defined in the app/config/security.yml as the check_path for the firewall. So to login using AJAX, a form needs to be posted to that route along with a few fields, _username, _password, _remember_me, and if you’ve enabled CSRF for your form, the _csrf_token, field. more…



Implementing CSRF Protection in PHP

CSRF protection for forms is easy to implement in PHP

Cross-site request forgery [CSRF] is a type of attack where a user is tricked/forced into performing an unwanted action on a friendly website that they are authenticated with. For example, if a user is logged into their bank and then visits a malicious site, it is possible that the malicious site can use the user’s session to make requests to the bank server. more…