For my own PHP work, I am using a relatively nimble but effective set of libraries. They have shown to be effective, but are in need of a “redo. ” I released pieces of it in the past, but none of it is actually terribly useful to the public as it is written for me/by me.
Last week, I received some code that someone wrote for us, which is in bad need of a simple API like that to make it workable (= “secure”). So I am thinking about about wrapping up a “PHP Streetfighter API”. Here are some initial thoughts:
- Can’t take more then 24 hrs to write
- A coder should be able to understand / use it in less then 1 hr
- should force the coder to use prepared statements, proper input validation and avoid XSS
- maybe some protection against XSRF
- maybe some anti-pentesting / honeytoken features
Can this be done? Should I add more to it? Anybody interested in using something like this? This isn’t supposed to replace more complete efforts like the OWASP ESAPI, but instead rather provide something for the myriads of “non enterprise coders” who produce tons of crappy code daily. It also shouldn’t be too hard to “retrofit” an existing application with this API.
What do you think… makes sense? Am I nuts? Want to use it?