Security

In order to be a comprehensive security framework, MDSecurity has been built to resolve multiple PHP security vulnerabilities and attacks.

SQL-Injection

A SQL-Injection attack is an attempt by an individual to have your application or website execute extraneous SQL code by inserting it into an input. In most cases this is done on a login form to gain access to the site, in worst case scenarios they can even erase your database tables.

To protect your site against SQL-Injection attacks MDSecurity utilizes PHP Database Objects to prepare and execute queries. By utilizing PDOs the library properly escapes input before it is run in a sql query.

Session Fixation

A session fixation attack is an attempt by an individual to gain access to another users account by setting the session id by which the user logs in with. The most common way of this happening is by you clicking a link to a site that has has a query param with the SID set. If not protected against when the user logs in the person sending them the url can then access the site using the same sid as that session will have been authenticated.

MDSecurity framework protects against Session Fixation by regenerating the session id when a user correctly logs into the site. In addition to enabling the verification of a user’s IP Address and Browser Agent.

Packet Sniffing

Packet Sniffing is the attempt to by an individual to read the underlying network traffic in an attempt to obtain sensitive information, such as a users login credentials.

MDsecurity supports and enables the use of customizable encryption algorithms allowing you to encrypt users passwords and information on the client side before submitting the information to the server for processing.

Shared Server Vulnerability

Web Applications on a shared environment are susceptible to other users viewing saved session information as a common php install will usually save all users session data to the same tmp directory.

MDSecurity has built in Session Handler classes that enable you to easily modify the session save path to an unshared path on the server, or to save session information into a database table.