Skip to content

4. Protective measures

Alexander edited this page Mar 3, 2023 · 2 revisions

To improve the security of the web application, we use the following types of protection:


Validation.

All incoming POST/GET/SERVER requests are validated using filter_input. At the same time, unsafe characters are simultaneously replaced with their html entities using FILTER_SANITIZE_SPECIAL_CHARS
See: https://github.com/musicman3/eMarket/blob/master/src/eMarket/model/eMarket/Core/Valid.php


Filtering the output.

All data that we receive from the database goes through a filtering process. This is necessary to protect against XSS, LFI and other types of attacks.
See: Func::outputDataFiltering() https://github.com/musicman3/eMarket/blob/master/src/eMarket/model/eMarket/Core/Pdo.php


Prepared queries.

In addition, prepared queries for PDO are used. This eliminates SQL injection attacks.


CSRF protection.

To protect against CSRF attacks, we use a system with validation through CSRF tokens. To add, change or delete any data, only POST requests with CSRF tokens are used. GET requests are used only for navigation and receiving data through routing.


Substitution of order data.

We also use validation by hashing the data and comparing it to the originals when completing an order. This allows you to close the order data spoofing attack.


Passwords and hashing.

We use irreversible hashing to store passwords in a database. Even having obtained the hash, an attacker will not be able to gain access to the password because we are using modern hashing methods using the password_hash function and the PASSWORD_BCRYPT/PASSWORD_ARGON2I algorithms.
See: eMarket/Core/Autorize::passwordHash()


$_SESSION instead of COOKIE.

We do not use cookies to store important user data, as in this case important data is stored on the client side. This can pose a security risk. Therefore, all important user data and shopping cart data is stored in sessions on the server side. This increases the security of the application.


Note: Application security is also affected by server settings. The server settings are not related to the application code, and therefore you need to consult with a server security specialist or investigate the issue yourself.

If you find any security issues with the application, please contact us or submit a report. This will allow us to take action in time and release the patch. Together we can make the app better.