> php-security
PHP security standards for database access, password handling, and input validation. Use when securing PHP apps against SQL injection, XSS, or weak password storage. (triggers: **/*.php, pdo, password_hash, htmlentities, filter_var)
curl "https://skillshub.wtf/HoangNguyen0403/agent-skills-standard/php-security?format=md"PHP Security
Priority: P0 (CRITICAL)
Structure
src/
└── Security/
├── Validators/
└── Auth/
Implementation Guidelines
- Prepared Statements: Use PDO with Parameterized Queries:
$stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id'); $stmt->execute([':id' => $id]);. NEVER concatenate user input into SQL strings. - Password Hashing: ALWAYS use
password_hash()withPASSWORD_ARGON2ID(PHP 7.4+) orPASSWORD_BCRYPT. - Auth Verification: Use
password_verify(). Usepassword_needs_rehash()to upgrade legacy hashes. Implement Rate Limiting and MFA where appropriate. - XSS Escaping: Use
htmlentities($userInput, ENT_QUOTES | ENT_HTML5, 'UTF-8')orhtmlspecialchars()on all user output. Prefer Twig or Blade for auto-escaping. - CSRF Protection: Mandate
CSRF tokensfor all state-changing requests (POST,PUT,PATCH,DELETE). - Input Validation: Use
filter_var($email, FILTER_VALIDATE_EMAIL)orfilter_var($url, FILTER_VALIDATE_URL). Always Whitelist allowed values. - File Security: RESTRICT file uploads by MIME type and extension. Store uploads outside the public root.
- Session Safety: Configure
session.cookie_httponly = 1,session.cookie_secure = 1, andsession.samesite = "Lax". - Header Security: Enforce
Content-Security-Policy (CSP),X-Frame-Options: DENY, andX-Content-Type-Options: nosniff.
Anti-Patterns
- No SQL string concatenation: Use PDO prepared statements only.
- No MD5/SHA1 for passwords: Use
password_hash($password, PASSWORD_ARGON2ID). - No raw
$_GET/$_POST: Validate all input withfilter_var()first. - No production error display: Log to file; never show to users.
References
> related_skills --same-repo
> common-store-changelog
Generate user-facing release notes for the Apple App Store and Google Play Store by collecting git history, triaging user-impacting changes, and drafting store-compliant changelogs. Enforces character limits (App Store ≤4000, Google Play ≤500), tone, and bullet format. Use when generating release notes, app store changelog, play store release, what's new, or version release notes for any mobile app. (triggers: generate changelog, app store notes, play store release, what's new, release notes, ve
> golang-tooling
Go developer toolchain — gopls LSP diagnostics, linting, formatting, and vet. Use when setting up Go tooling, running linters, or integrating gopls with Claude Code. (triggers: gopls, golangci-lint, golangci.yml, go vet, goimports, staticcheck, go tooling, go lint)
> common-ui-design
Design distinctive, production-grade frontend UI with bold aesthetic choices. Use when building web components, pages, interfaces, dashboards, or applications in any framework (React, Next.js, Angular, Vue, HTML/CSS). (triggers: build a page, create a component, design a dashboard, landing page, UI for, build a layout, make it look good, improve the design, build UI, create interface, design screen)
> common-owasp
OWASP Top 10 audit checklist for Web Applications (2021) and APIs (2023). Load during any security review, PR review, or codebase audit touching web, mobile backend, or API code. (triggers: security review, OWASP, broken access control, IDOR, BOLA, injection, broken auth, API review, authorization, access control)