php-security

$npx mdskill add HoangNguyen0403/agent-skills-standard/php-security

```text src/ └── Security/ ├── Validators/ └── Auth/ ```

SKILL.md

.github/skills/php-securityView on GitHub ↗
---
name: php-security
description: PHP security standards for database access, password handling, and input validation. Use when securing PHP apps against SQL injection, XSS, or weak password storage.
metadata:
  triggers:
    files:
    - '**/*.php'
    keywords:
    - pdo
    - password_hash
    - htmlentities
    - filter_var
    - php security
    - sql injection
    - xss php
    - prepared statement
    - csrf
    - sanitize input
    - password storage
---
# PHP Security

## **Priority: P0 (CRITICAL)**

## Structure

```text
src/
└── Security/
    ├── Validators/
    └── Auth/
```

## Implementation Guidelines

- **Prepared Statements**: Use PDO with Parameterized Queries: `$stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id'); $stmt->execute([':id' => $id]);`. NEVER concatenate user input into SQL strings.
- **Password Hashing**: ALWAYS use **`password_hash()`** with **`PASSWORD_ARGON2ID`** (PHP 7.4+) or **`PASSWORD_BCRYPT`**.
- **Auth Verification**: Use `password_verify()`. Use `password_needs_rehash()` to upgrade legacy hashes. Implement Rate Limiting and MFA where appropriate.
- **XSS Escaping**: Use `htmlentities($userInput, ENT_QUOTES | ENT_HTML5, 'UTF-8')` or `htmlspecialchars()` on all user output. Prefer Twig or Blade for auto-escaping.
- **CSRF Protection**: Mandate **`CSRF tokens`** for all state-changing requests (`POST`, `PUT`, `PATCH`, `DELETE`).
- **Input Validation**: Use `filter_var($email, FILTER_VALIDATE_EMAIL)` or `filter_var($url, FILTER_VALIDATE_URL)`. Always Whitelist allowed values.
- **File Security**: RESTRICT file uploads by **MIME type** and **extension**. Store uploads **outside public root**.
- **Session Safety**: Configure **`session.cookie_httponly = 1`**, **`session.cookie_secure = 1`**, and **`session.samesite = "Lax"`**.
- **Header Security**: Enforce **`Content-Security-Policy (CSP)`**, **`X-Frame-Options: DENY`**, and **`X-Content-Type-Options: nosniff`**.

## Anti-Patterns

- **No SQL string concatenation**: Use PDO prepared statements only.
- **No MD5/SHA1 for passwords**: Use `password_hash($password, PASSWORD_ARGON2ID)`.
- **No raw `$_GET`/`$_POST`**: Validate all input with `filter_var()` first.
- **No production error display**: Log to file; never show to users.

## References

- [Secure Implementation Patterns](references/implementation.md)

More from HoangNguyen0403/agent-skills-standard

SkillDescription
android-agp-upgradeUpgrade an Android project to Android Gradle Plugin (AGP) 9. Use when migrating to AGP 9, updating Gradle build files, migrating to built-in Kotlin, or adopting the new AGP DSL.
android-architectureApply Clean Architecture layering, modularization, and Unidirectional Data Flow in Android projects. Use when setting up project structure, placing code in layers, configuring feature/core modules, or implementing UDF patterns.
android-background-workImplement WorkManager and background processing correctly on Android. Use when creating Worker classes, scheduling tasks, choosing between WorkManager and Foreground Services, or setting up Hilt in workers.
android-composeBuild high-performance declarative UI with Jetpack Compose. Use when writing Composable functions, optimizing recomposition, hoisting state, or working with LazyColumn and side effects.
android-compose-migrationMigrate an Android XML View to Jetpack Compose following a structured 10-step workflow. Use when converting XML layouts to Compose, setting up Compose in an existing View-based project, or incrementally adopting Compose.
android-concurrencyWrite correct coroutine scopes, Flow collection, and dispatcher injection in Android. Use when writing suspend functions, choosing between StateFlow and SharedFlow, or injecting Dispatchers for testability.
android-deploymentConfigure release signing, R8 obfuscation, and App Bundle publishing for Android. Use when setting up signing configs, enabling minification, adding ProGuard keep rules, or preparing for Play Store submission.
android-design-systemEnforce Material Design 3 theming and design token usage in Jetpack Compose. Use when implementing M3 components, color schemes, typography, or design tokens.
android-diConfigure Hilt dependency injection with proper scoping, modules, and constructor injection in Android. Use when setting up Hilt DI, defining modules, or configuring component scoping.
android-edge-to-edgeMigrate a Jetpack Compose app to edge-to-edge display and fix system bar inset issues. Use when UI components are obscured by navigation/status bars, fixing IME insets, or enabling edge-to-edge for SDK 35+.