AppSec Blog

What should be part of a PHP Streetfighter API

For my own PHP work, I am using a relatively nimble but effective set of libraries. They have shown to be effective, but are in need of a "redo. " I released pieces of it in the past, but none of it is actually terribly useful to the public as it is written for me/by me.

Last week, I received some code that someone wrote for us, which is in bad need of a simple API like that to make it workable (= "secure"). So I am thinking about about wrapping up a "PHP Streetfighter API". Here are some initial thoughts:

  • Can't take more then 24 hrs to write
  • A coder should be able to understand / use it in less then 1 hr
  • should force the coder to use prepared statements, proper input validation and avoid XSS
  • maybe some protection against XSRF
  • maybe some anti-pentesting / honeytoken features

Can this be done? Should I add more to it? Anybody interested in using something like this? This isn't supposed to replace more complete efforts like the OWASP ESAPI, but instead rather provide something for the myriads of "non enterprise coders" who produce tons of crappy code daily. It also shouldn't be too hard to "retrofit" an existing application with this API.

What do you think... makes sense? Am I nuts? Want to use it?


Posted December 14, 2009 at 11:14 PM | Permalink | Reply

Nathan Christiansen

I think it would be difficult to try to get it so that non-enterprise coders can understand what to do without a cookbook approach to documentation.
For instance:
if you are taking any information using a form do this in your form: [API Code Call]
Then when you are checking form values put this code at the top: [API Code Call]
We have started new programming using PHP instead of the PERL that our old sites are using.
I would be interested in using it. Especially if it includes defense against reflected cross site scripting.
Would you open-source it? Take submissions for enhancements?
I still haven't researched if you can extend super-globals like $_REQUEST, $_GET, or $_POST. Maybe using closures''.

Posted December 15, 2009 at 12:16 AM | Permalink | Reply


I think something like that would be extremely useful. It should probably include or be linkable to a data-abstraction layer so that it is easy to combine with any type of database, even though probably 95%+ of personal coders will be using MySQL. Where I work, we're in the process of building our own set of security includes that go on every page and are used to validate all the data that is passed either in forms or out of the database and back to the user. It's quite the project, though, when you're trying to retrofit 10 years worth of development.

Posted December 15, 2009 at 3:13 AM | Permalink | Reply


I'd be curious to see it. It would be nice to have a simple set of wrappers to help do some of security work.

Post a Comment


* Indicates a required field.