Good Php Framework for strong security [closed]

Security cannot be applied to an application like some veneer. Each kind of a security problem is dealt with in some other way, and most of PHP frameworks provide tools to write secure code:

• Fighting HTML injection / XSS requires the use of a template engine(like Twig) that escapes values by default or a component-drivenapproach to displaying HTML. No frameworkwill help you, if you allow people to upload their files and havethem served from your own domain (you have to use a separate domainfor that);

• You can avoid SQL injection by using db helpers that escape queryparameters; each framework you mentioned provides those (and ofcourse you can use plain PDO);

• You can fight CSRF by using session-bound tokens. Each frameworkoffers some solution. In each case, however, you have to assist theframework in some way (by adding a token to each form or by using aform abstraction provided by the framework).

So in a way - yes, you have to think about security. I don't think any PHP framework could do anything more that they already do, unless there is a major paradigm shift that lets us design applications by dragging colorful boxes across the screen, not touching dirty, insecure things like HTML or SQL. What kind of support would you expect?

I'd also say try CodeIgniter.

• Sql-Injection - If you use the active record pattern in CodeIgniter you're secure
• XSS - It's a config value in config.php
• CSRF - Also a config value in config.php
• Login etc. - There are libraries for that like https://github.com/EllisLab/CodeIgniter/wiki/SimpleLoginSecure

Also CodeIgniter is easy to use if you're working with a framework for the first time and has a great user guide which is really easy to understand.

Edit: Since I'm still getting upvotes here in 2019, please check https://laravel.com/

The key vulnerabilities you mention happen in different and sometimes multiple layers and are often dependent on the context of what youre doing so a lot of them will offer the facilities to protect against this stuff but you have to make use of it.

For example both Symfony (1.x and 2) and Zend Framework have a form component/sub-framework that implments CSRF out of the box. But that doesnt mean its turned on by default (symfony's is... dont recall if zf's is or not). Same thing with XSS when we talk about the output escaping side in the view layer.

Now when it comes to framework preference for big apps i personally like Symfony 1.x and Symfony2, Zend Framework 1.x (not going to mention zf2 because i havent even played with it yet). For simple things i like Silex (based on Symfony Components).