To develop a simple PHP framework, what are the security issues to be aware of?

Self-think, do a simple PHP MVC framework, with URL routing function to match the name of the controller and method in the URL, if method_exists then new controller again with CALL_USER_FUNC_ Array to execute the method, or introduce the error controller, each controller can require introduced model, and then require introduced TPL, this is I do a simple PHP framework of the idea, What safety issues should be noticed in this area?

Reply content:

Self-think, do a simple PHP MVC framework, with URL routing function to match the name of the controller and method in the URL, if method_exists then new controller again with CALL_USER_FUNC_ Array to execute the method, or introduce the error controller, each controller can require introduced model, and then require introduced TPL, this is I do a simple PHP framework of the idea, What safety issues should be noticed in this area?

• Path problem, cannot apply external file via URL call such as/etc/passwd

• Data filtering, 永远不要信任用户的任何输入 . All input data is htmlspecialchars filtered back into storage.

• Database, using PDO instead mysql_xxxx , using parameter bindings to process external data (extensions can be used if the database uses only MySQL mysqli )

About call_user_func_array the security issues that preceded Drupal in the tussle.

Http://blog.knownsec.com/2014/10/drupal__callback_nightmare/

requireA file containment vulnerability could be generated.

Http://www.neatstudio.com/show-1123-1.shtml

