### Setting up and Running an Insecure PHP Example Application

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This sequence of commands clones a repository containing an insecure PHP application, installs its dependencies using Composer, and then runs a local development server on port 8000. This setup is useful for testing common PHP vulnerabilities.

```bash
git clone https://github.com/rickogden/insecure-php-example.git
cd insecure-php-example
composer install
php -S localhost:8000 -t web
```

--------------------------------

### Install and Use Progpilot for Static Security Analysis

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

Instructions on installing Progpilot, a static security analyzer for PHP, using Composer and a basic command-line example for scanning a file and outputting a report.

```bash
# Install
composer require designsecurity/progpilot

# Usage example
php progpilot_scan.php --file=vulnerable.php --output=report.json
```

--------------------------------

### Install and Configure Secure-Headers for PHP

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This snippet demonstrates how to install the Secure-Headers library using Composer, configure security headers in a PHP application, and use it to send headers.

```bash
composer require bepsvpt/secure-headers
```

```php
// config/secure-headers.php
return [
    'x-content-type-options' => 'nosniff',
    'x-frame-options' => 'SAMEORIGIN',
    'x-xss-protection' => '1; mode=block',
    'strict-transport-security' => 'max-age=31536000; includeSubDomains',
    'content-security-policy' => "default-src 'self'",
];
```

```php
use Bepsvpt\SecureHeaders\SecureHeaders;

$headers = new SecureHeaders();
$headers->send();
```

--------------------------------

### Installing and Authenticating Snyk CLI

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

These bash commands install the Snyk command-line interface (CLI) globally using npm and then authenticate it with your Snyk account. Snyk is a tool for identifying and fixing vulnerabilities in your project's dependencies.

```bash
npm install -g snyk
snyk auth
```

--------------------------------

### Clone and Setup DVWA for Security Practice

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

Provides the git command to clone the Damn Vulnerable Web Application (DVWA) repository, a common resource for practicing web security testing.

```bash
# Clone and setup
git clone https://github.com/ethicalhack3r/DVWA.git
cd DVWA
```

--------------------------------

### Block Vulnerable Packages with roave/security-advisories

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

Instructions for adding the roave/security-advisories package to a project's development dependencies via Composer to prevent the installation of packages with known security vulnerabilities.

```bash
# Add to composer.json to block vulnerable packages
composer require --dev roave/security-advisories:dev-latest
```

--------------------------------

### Scan PHP Code for Vulnerabilities with phpcs-security-audit

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This example shows how to use Docker to pull and run the phpcs-security-audit image for static code analysis of PHP projects, identifying potential security issues like SQL injection and XSS.

```bash
# Pull the Docker image
docker pull guardrails/phpcs-security-audit

# Scan a PHP project
docker run --rm -v $(pwd):/project guardrails/phpcs-security-audit \
  phpcs --standard=Security /project/src
```

--------------------------------

### Preventing SQL Injection in PHP with Prepared Statements

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This PHP code illustrates how to prevent SQL injection vulnerabilities. The vulnerable example uses direct string concatenation to build a SQL query, while the secure example utilizes prepared statements (`prepare`, `bind_param`, `execute`) to safely incorporate user input into database queries.

```php
// VULNERABLE CODE
$query = "SELECT * FROM users WHERE id = " . $_GET['id'];
$result = mysqli_query($conn, $query);

// SECURE CODE - Using prepared statements
$stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
$result = $stmt->get_result();
```

--------------------------------

### Preventing XSS in PHP with Output Escaping

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This PHP code demonstrates Cross-Site Scripting (XSS) prevention. The vulnerable example directly echoes user input into HTML, which can execute arbitrary JavaScript. The secure example uses `htmlspecialchars` to properly escape special characters in the output, rendering them as text instead of executable code.

```php
// VULNERABLE - Direct output
echo "<div>" . $_GET['comment'] . "</div>";

// SECURE - Properly escaped output
echo "<div>" . htmlspecialchars($_GET['comment'], ENT_QUOTES, 'UTF-8') . "</div>";
```

--------------------------------

### Check Composer Lock File with Symfony Security Monitoring API

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This example demonstrates how to use curl to send a composer.lock file to the Symfony Security Monitoring API to check for known vulnerabilities, receiving the results in JSON format.

```bash
curl -H "Accept: application/json" \
     "https://security.symfony.com/check_lock" \
     -F lock=@composer.lock
```

--------------------------------

### Testing SQL Injection Vulnerability with cURL

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This cURL command attempts to exploit an SQL injection vulnerability in the insecure PHP example application by sending a crafted POST request to the login endpoint. The payload manipulates the username parameter to bypass authentication.

```bash
curl -X POST http://localhost:8000/login \
  -d "username=admin' OR '1'='1&password=anything"
```

--------------------------------

### Testing XSS Vulnerability with cURL

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This cURL command tests for a Cross-Site Scripting (XSS) vulnerability in the insecure PHP example application. It sends a script tag as the 'text' parameter to the comment endpoint, demonstrating how unescaped user input can lead to script execution.

```bash
curl http://localhost:8000/comment?text=<script>alert('XSS')</script>
```

--------------------------------

### Run SonarQube Scanner for PHP Project Analysis

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This command demonstrates how to execute the SonarQube scanner for a PHP project, specifying the project key, source directory, SonarQube server URL, and an authentication token.

```bash
sonar-scanner \
  -Dsonar.projectKey=my-php-project \
  -Dsonar.sources=src \
  -Dsonar.host.url=http://localhost:9000 \
  -Dsonar.login=your_token_here
```

--------------------------------

### Forking and Contributing to the Awesome PHP Security Repository

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This sequence of bash commands outlines the standard GitHub workflow for contributing to the 'awesome-php-security' project. It involves forking the repository, cloning the fork locally, creating a new branch for changes, adding the resource following contribution guidelines, and preparing for a pull request.

```bash
# 1. Fork the repository
git clone https://github.com/yourusername/awesome-php-security.git
cd awesome-php-security

# 2. Create a feature branch
git checkout -b add-new-security-tool

# 3. Add your resource following the format:
# - [Tool Name](https://tool-url.com) - Brief description ending with period.

# Example addition to README.md:
# Under "## Static Code Analysis" section:
# - [PHPStan Security Rules](https://github.com/example/phpstan-security) - Security-focused rules for PHPStan static analyzer.

# 4. Ensure guidelines compliance:
# - Item added to end of category list
# - Description is short and descriptive
# - Starts with capital letter
# - Ends with period
# - No trailing whitespace
```

--------------------------------

### Check Composer Dependencies for Vulnerabilities with Docker

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This snippet shows how to use Docker to run the security-checker tool against a project's composer.lock file to identify known vulnerabilities in PHP dependencies.

```bash
# Using Docker
docker pull guardrails/security-checker
docker run --rm -v $(pwd):/app guardrails/security-checker \
  security-checker security:check /app/composer.lock
```

--------------------------------

### Testing a Project for Vulnerabilities with Snyk

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This Snyk CLI command tests the current project directory for known security vulnerabilities in its dependencies. It analyzes the project's package manifests and reports any issues found, suggesting upgrades to fix them.

```bash
snyk test
```

--------------------------------

### Secure Password Hashing with PHP

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This PHP code demonstrates the correct and incorrect ways to handle password storage. It shows the use of `md5` (insecure) versus `password_hash` with `PASSWORD_BCRYPT` (secure) for hashing, and `password_verify` for checking credentials. The `cost` option in `password_hash` controls the computational effort, impacting security and performance.

```php
// INCORRECT - Never use MD5 or SHA1 for passwords
$insecure = md5($password);

// CORRECT - Use password_hash with bcrypt
$secure = password_hash($password, PASSWORD_BCRYPT, ['cost' => 12]);

// Verification
if (password_verify($user_input, $secure)) {
    // Password is correct
    echo "Login successful";
} else {
    // Password is incorrect
    echo "Login failed";
}
```

--------------------------------

### Monitoring a Project Continuously with Snyk

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This Snyk CLI command enables continuous monitoring of your project for new vulnerabilities. Snyk will track your dependencies and alert you if new security issues are discovered over time.

```bash
snyk monitor
```

--------------------------------

### Running a Vulnerable Web Application (DVWA)

Source: https://context7.com/guardrailsio/awesome-php-security/llms.txt

This command runs the Damn Vulnerable Web Application (DVWA) in a Docker container. DVWA is a PHP/MySQL web application that is intentionally insecure, designed for security training and testing. It is accessible via HTTP on port 80.

```bash
docker run --rm -it -p 80:80 vulnerables/web-dvwa
```

=== COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.