Security API

The SLAED CMS Security API provides comprehensive protection against common web vulnerabilities including SQL injection, XSS, CSRF, and more.

Table of Contents

Input Validation

SLAED CMS provides robust input validation through the getVar function and additional filtering functions:

// Analyze string for security
function analyze($string) {
    return preg_replace('#[^a-zA-Z0-9_-]#', '', $string);
}

// XSS protection
function xss_clean($string) {
    return htmlspecialchars($string, ENT_QUOTES, 'UTF-8');
}

// Filter HTML content
function filter_html($html, $allowed_tags = '<p><br><strong><em><u><a><img><ul><ol><li>') {
    return strip_tags($html, $allowed_tags);
}

CSRF Protection

Cross-Site Request Forgery protection is implemented through token generation and verification:

// Generate CSRF token
function generate_csrf_token() {
    if (!isset($_SESSION['csrf_token'])) {
        $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
    }
    return $_SESSION['csrf_token'];
}

// Verify CSRF token
function verify_csrf_token($token) {
    return isset($_SESSION['csrf_token']) && hash_equals($_SESSION['csrf_token'], $token);
}

// CSRF token form field
function csrf_token_field() {
    return '<input type="hidden" name="csrf_token" value="'.generate_csrf_token().'">';
}

// Usage in forms
echo '<form method="post">';
echo csrf_token_field();
echo '<input type="text" name="title">';
echo '<input type="submit" value="Submit">';
echo '</form>';

// Verification in processing
if (!verify_csrf_token(getVar('post', 'csrf_token', 'text'))) {
    die('CSRF token verification failed');
}

Captcha Integration

Integration with Google reCAPTCHA for bot protection:

// Get captcha HTML
function getCaptcha($level) {
    global $conf;
    if ($conf['gfx_chk'] >= '1' && ($level == 2 || ($level == 1 && !is_user()))) {
        // Google reCAPTCHA v3
        $html = '';
        $html .= '';
        $html .= '';
        return $html;
    }
    return '';
}

// Verify captcha
function checkCaptcha($level) {
    global $conf;
    if ($conf['gfx_chk'] >= '1' && ($level == 2 || ($level == 1 && !is_user()))) {
        $response = getVar('post', 'recaptcha', 'text');
        // Verify with Google API
        return verify_recaptcha($response);
    }
    return true;
}

XSS Protection

Multiple layers of XSS protection are implemented:

// Automatic HTML escaping in templates
$title = xss_clean($title);

// Content filtering for user-generated content
$filtered_content = filter_html($user_content);

// Output encoding
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');

Session Security

Secure session management functions:

// Secure session initialization
function init_secure_session() {
    session_start();
    
    // Regenerate session ID regularly
    if (!isset($_SESSION['initiated'])) {
        session_regenerate_id(true);
        $_SESSION['initiated'] = true;
    }
    
    // IP address validation
    if (isset($_SESSION['user_ip']) && $_SESSION['user_ip'] !== getIp()) {
        session_destroy();
        return false;
    }
    $_SESSION['user_ip'] = getIp();
    
    // User agent validation
    if (isset($_SESSION['user_agent']) && $_SESSION['user_agent'] !== getUserAgent()) {
        session_destroy();
        return false;
    }
    $_SESSION['user_agent'] = getUserAgent();
    
    return true;
}

// Set secure cookies
setCookies($name, $value, $expire_time);

// Get client IP address
$ip = getIp();

// Get user agent
$user_agent = getUserAgent();

The Security API ensures that SLAED CMS applications are protected against the most common web vulnerabilities while maintaining ease of use for developers.

Previous Next

Read Next

Creating Modules Custom Themes Performance