It seems that Chris is just introducing this project to the community. Maybe there are flaws, I admit that I'm not the best one to judge that. But to focus on those flaws seems to miss the point.<p>Chris is trying to build a PHP framework where security is the prime consideration. To my knowledge, a project like this doesn't exist already. This is an open source project, and by Chris's own admission, a learning experience. This is an opportunity for the PHP community to have a discussion that is centered around the best way to solve the myriad of security issues that plague PHP frameworks and applications. The knowledge and experience generated from this project can be used to the benefit of other frameworks and applications in the PHP ecosystem.<p>I applaud Chris from undertaking this effort to challenge and improve his knowledge of web application security in a public way so that others may benefit from his experiences.<p>And shame on those who are trying to kill this project with negativity and condescension before it even starts.
While I'm not a PHP fan, I sincerely wish the average web developer were more security conscious and so I applaud the effort here. Having been the grouchy security guy on more projects than I can remember, I can attest that it's a thankless and tiresome job. The better you do, the less it will be appreciated.
> Filter values based on filter types (supported are: email, striptags)<p>Striptags is not a security tool, it is a presentation tool.<p>> Output filtering on all values (preventing XSS)<p>I'm still trying to figure out how you've implemented this.
Before anyone else brings it up, there are some issues with the session handler function. I'm working on a write-up and pull-request for them to fix the broken cryptography used there.
Yes, let's all use a security framework by a guy who thinks DES is a good choice, and who openly admits that this is a learning experience for him, this security framework he's giving to others.<p>Clearly, if after it's pointed out that DES is a bad idea he still doesn't know why, but he also refuses to fix it or take it down, the rest of this should be trusted too.