Skip to content
/ php-aegis Public

A PHP security and hardening toolkit providing input validation, sanitization, and security utilities.

License

View license
1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

hyperpolymath/php-aegis

BranchesTags

Repository files navigation

php-aegis

Contents

PHP 8.1+ MIT License RSR Compliant

A PHP security and hardening toolkit providing input validation, sanitization, and security utilities.

1. Overview

php-aegis provides a collection of security-focused utilities for PHP applications. Named after the mythological shield of Zeus, it aims to protect your applications from common web vulnerabilities.

1.1. Key Features

  • Input Validation - Strict validation for emails, URLs, and common data formats

  • XSS Prevention - HTML sanitization with proper encoding

  • Type Safety - Full strict_types enforcement throughout

  • Modern PHP - Requires PHP 8.1+ for latest security features

  • Zero Dependencies - Core library has no external dependencies

  • PSR-12 Compliant - Follows PHP-FIG coding standards

1.2. Philosophy

Defense in depth: multiple layers of validation and sanitization.

php-aegis follows the principle that security should be:

  1. Simple - Easy to use correctly, hard to misuse

  2. Strict - Fail closed rather than fail open

  3. Composable - Combine utilities for layered protection

2. Installation

2.1. Via Composer

composer require hyperpolymath/php-aegis

2.2. Requirements

  • PHP 8.1 or higher

  • No additional extensions required

3. Quick Start

<?php

declare(strict_types=1);

use PhpAegis\Validator;
use PhpAegis\Sanitizer;

$validator = new Validator();
$sanitizer = new Sanitizer();

// Validate user input
$email = $_POST['email'] ?? '';
if (!$validator->email($email)) {
    throw new InvalidArgumentException('Invalid email address');
}

// Sanitize for HTML output
$userContent = $_POST['comment'] ?? '';
$safeHtml = $sanitizer->html($userContent);
echo "<p>{$safeHtml}</p>";

4. API Reference

4.1. Validator

The Validator class provides strict input validation methods.

4.1.1. email(string $email): bool

Validates email addresses using PHP’s FILTER_VALIDATE_EMAIL.

$validator = new Validator();

$validator->email('[email protected]');  // true
$validator->email('invalid');           // false
$validator->email('');                  // false

4.1.2. url(string $url): bool

Validates URLs using PHP’s FILTER_VALIDATE_URL.

$validator = new Validator();

$validator->url('https://example.com');     // true
$validator->url('ftp://files.example.com'); // true
$validator->url('not-a-url');               // false

4.2. Sanitizer

The Sanitizer class provides input sanitization for safe output.

4.2.1. html(string $input): string

Sanitizes strings for safe HTML output, preventing XSS attacks.

  • Encodes <, >, &, ", '

  • Uses UTF-8 encoding

  • HTML5 compliant

$sanitizer = new Sanitizer();

$sanitizer->html('<script>alert("xss")</script>');
// Returns: &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;

$sanitizer->html("It's safe & secure");
// Returns: It&#039;s safe &amp; secure

4.2.2. stripTags(string $input): string

Removes all HTML and PHP tags from input.

$sanitizer = new Sanitizer();

$sanitizer->stripTags('<p>Hello <b>World</b></p>');
// Returns: Hello World

$sanitizer->stripTags('<?php echo "test"; ?>');
// Returns: (empty string)

5. Security Considerations

5.1. What php-aegis Does

  • Validates input formats (email, URL, etc.)

  • Sanitizes output for HTML contexts

  • Enforces type safety

5.2. What php-aegis Does NOT Do

  • SQL injection prevention (use PDO prepared statements)

  • CSRF protection (use framework tokens)

  • Authentication/Authorization

  • Encryption/Hashing (use password_hash(), sodium_*)

5.3. Best Practices

// Always validate before processing
if (!$validator->email($input)) {
    // Reject early
    return;
}

// Always sanitize before output
echo $sanitizer->html($userContent);

// Layer your defenses
$clean = $sanitizer->stripTags($input);  // Remove tags
$safe = $sanitizer->html($clean);         // Then encode

6. Development

6.1. Setup

git clone https://github.com/hyperpolymath/php-aegis.git
cd php-aegis
composer install

6.2. Commands

# Using just (recommended)
just test      # Run tests
just analyze   # Static analysis
just lint      # Check formatting
just fmt       # Fix formatting

# Using composer directly
vendor/bin/phpunit
vendor/bin/phpstan analyse src
vendor/bin/php-cs-fixer fix --dry-run

7. Roadmap

Planned features for future releases:

7.1. v0.2.0 - Extended Validators

  • Validator::ip() - IPv4/IPv6 validation

  • Validator::uuid() - UUID format validation

  • Validator::slug() - URL slug validation

  • Validator::phone() - Phone number validation

7.2. v0.3.0 - Security Headers

  • Headers::csp() - Content Security Policy helper

  • Headers::hsts() - HSTS header helper

  • Headers::noSniff() - X-Content-Type-Options

  • Headers::frameOptions() - X-Frame-Options

7.3. v0.4.0 - Rate Limiting

  • RateLimiter - Token bucket implementation

  • ❏ Redis/APCu backend support

7.4. Future

  • ❏ CSRF token generation and validation

  • ❏ Input filtering chains

  • ❏ Audit logging utilities

8. Related Projects

9. License

MIT License - See LICENSE.txt for details.

10. Contributing

Contributions welcome! Please read CONTRIBUTING.adoc first.

For security vulnerabilities, see SECURITY.adoc.

11. RSR Compliance

This repository follows Rhodium Standard Repository guidelines.

PHP is permitted under RSR as a Tier Exception for security-specific tooling.

About

A PHP security and hardening toolkit providing input validation, sanitization, and security utilities.

Topics

php rsr rhodium-standard hyperpolymath-tools

Resources

Readme

License

View license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Sponsor this project

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages