

Shield, A Security-Minded PHP Microframework - enygmadae
https://github.com/enygma/shieldframework

======
nickasloan
It seems that Chris is just introducing this project to the community. Maybe
there are flaws, I admit that I'm not the best one to judge that. But to focus
on those flaws seems to miss the point.

Chris is trying to build a PHP framework where security is the prime
consideration. To my knowledge, a project like this doesn't exist already.
This is an open source project, and by Chris's own admission, a learning
experience. This is an opportunity for the PHP community to have a discussion
that is centered around the best way to solve the myriad of security issues
that plague PHP frameworks and applications. The knowledge and experience
generated from this project can be used to the benefit of other frameworks and
applications in the PHP ecosystem.

I applaud Chris from undertaking this effort to challenge and improve his
knowledge of web application security in a public way so that others may
benefit from his experiences.

And shame on those who are trying to kill this project with negativity and
condescension before it even starts.

------
alinajaf
While I'm not a PHP fan, I sincerely wish the average web developer were more
security conscious and so I applaud the effort here. Having been the grouchy
security guy on more projects than I can remember, I can attest that it's a
thankless and tiresome job. The better you do, the less it will be
appreciated.

------
Kudos
> Filter values based on filter types (supported are: email, striptags)

Striptags is not a security tool, it is a presentation tool.

> Output filtering on all values (preventing XSS)

I'm still trying to figure out how you've implemented this.

~~~
jarnix
Here is the escaping :

[https://github.com/enygma/shieldframework/blob/master/Shield...](https://github.com/enygma/shieldframework/blob/master/Shield/View.php)

at this line :

$value = htmlspecialchars($value);

~~~
Kudos
That could do with being mentioned in the README, a large part of the problem
with PHP is developers not knowing what method to use to sanitise strings.
After seeing striptags mentioned explicitly, I expected the worst.

~~~
JohnHaugeland
He used DES for session security.

That's the worst.

~~~
Kudos
[https://github.com/enygma/shieldframework/commit/44d9fc7e981...](https://github.com/enygma/shieldframework/commit/44d9fc7e9814f18f184c19a7858f831d1f01962c)

------
ircmaxell
Before anyone else brings it up, there are some issues with the session
handler function. I'm working on a write-up and pull-request for them to fix
the broken cryptography used there.

~~~
JohnHaugeland
That's the least of the problems here.

Not every library can be saved.

~~~
slurgfest
I think it is possible to fix the DES thing without tearing the rest down...

------
JohnHaugeland
Yes, let's all use a security framework by a guy who thinks DES is a good
choice, and who openly admits that this is a learning experience for him, this
security framework he's giving to others.

Clearly, if after it's pointed out that DES is a bad idea he still doesn't
know why, but he also refuses to fix it or take it down, the rest of this
should be trusted too.

~~~
ircmaxell
Where did he refuse to fix it? I'm confused. I've talked with him directly,
and we're in progress on a complete fix for that issue (the cryptography
issues in the session class)...

