hoangnguyen0403/php-security
skills/php/php-security/SKILL.md
PHP security standards for database access, password handling, and input validation. Use when securing PHP apps against SQL injection, XSS, or weak password storage.
$ install --global
skillsauthnpx skillsauth add hoangnguyen0403/agent-skills-standard php-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 20, 2026, 3:07 AM210.8s3 files scanned
SKILL.md
- name:
- php-security
- description:
- PHP security standards for database access, password handling, and input validation. Use when securing PHP apps against SQL injection, XSS, or weak password storage.
PHP Security
Priority: P0 (CRITICAL)
Structure
src/
└── Security/
├── Validators/
└── Auth/
Implementation Guidelines
- Prepared Statements: Use PDO with Parameterized Queries:
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id'); $stmt->execute([':id' => $id]);. NEVER concatenate user input into SQL strings. - Password Hashing: ALWAYS use
password_hash()withPASSWORD_ARGON2ID(PHP 7.4+) orPASSWORD_BCRYPT. - Auth Verification: Use
password_verify(). Usepassword_needs_rehash()to upgrade legacy hashes. Implement Rate Limiting and MFA where appropriate. - XSS Escaping: Use
htmlentities($userInput, ENT_QUOTES | ENT_HTML5, 'UTF-8')orhtmlspecialchars()on all user output. Prefer Twig or Blade for auto-escaping. - CSRF Protection: Mandate
CSRF tokensfor all state-changing requests (POST,PUT,PATCH,DELETE). - Input Validation: Use
filter_var($email, FILTER_VALIDATE_EMAIL)orfilter_var($url, FILTER_VALIDATE_URL). Always Whitelist allowed values. - File Security: RESTRICT file uploads by MIME type and extension. Store uploads outside public root.
- Session Safety: Configure
session.cookie_httponly = 1,session.cookie_secure = 1, andsession.samesite = "Lax". - Header Security: Enforce
Content-Security-Policy (CSP),X-Frame-Options: DENY, andX-Content-Type-Options: nosniff.
Anti-Patterns
- No SQL string concatenation: Use PDO prepared statements only.
- No MD5/SHA1 for passwords: Use
password_hash($password, PASSWORD_ARGON2ID). - No raw
$_GET/$_POST: Validate all input withfilter_var()first. - No production error display: Log to file; never show to users.
References
- Secure Implementation Patterns
Related Skills
hoangnguyen0403/common-software-requirements
development
VerifiedTrustedCommunity
Standardize SRS and FRS specifications for technical behavior, interfaces, data contracts, quality constraints, and verification mapping. Use when writing SRS, functional specification, system behavior requirements, API/data contracts, or non-functional thresholds.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-business-requirements
development
VerifiedTrustedCommunity
Standardize BRD and BRD-lite discovery for business goals, stakeholder impact, current-to-future state, and measurable value outcomes. Use when creating BRD, business case, project justification, ROI narrative, or AS-IS to TO-BE scope.
503SKILL.mdUpdated May 23, 2026
hoangnguyen0403/common-tdd
development
VerifiedTrustedCommunity
Implements a strict Red-Green-Refactor loop to ensure zero production code is written without a prior failing test. Use when: creating new features, fixing bugs, or expanding test coverage.
503SKILL.mdUpdated May 10, 2026
hoangnguyen0403/common-product-requirements
testing
VerifiedTrustedCommunity
Standardize PRD discovery and drafting for product scope, user outcomes, requirement IDs, and acceptance criteria. Use when creating PRD, product requirements, feature specification, or acceptance criteria plan.
503SKILL.mdUpdated May 10, 2026