Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Modern & Secure PHP Applications

Avatar for Ben Edmunds Ben Edmunds
August 12, 2014
Technology
2
110

Modern & Secure PHP Applications

What's new in PHP along with a focus on building secure apps. Presented on CodeMentor 08/12/2014.
Avatar for Ben Edmunds

Ben Edmunds

August 12, 2014
Tweet

More Decks by Ben Edmunds

See All by Ben Edmunds
Longhorn PHP 2021 - Passing the Technical Interview Workshop
Avatar for Ben Edmunds benedmunds
0
120
DevOpsDays Boston 2020 - Passing the Technical Interview
Avatar for Ben Edmunds benedmunds
0
62
Midwest PHP 2020 - Web Scale System Design and Architecture
Avatar for Ben Edmunds benedmunds
1
140
Modern and Secure PHP (SoutheastPHP 2018)
Avatar for Ben Edmunds benedmunds
0
98
Level Up Your Career - PHP South Africa Keynote
Avatar for Ben Edmunds benedmunds
0
860
Modern PHP, Standards, and Community (phpDay 2017)
Avatar for Ben Edmunds benedmunds
1
840
Lone Star PHP 2017 - More Than Just a Hammer
Avatar for Ben Edmunds benedmunds
0
500
Lone Star PHP 2017 - Your API is Bad and You Should Feel Bad
Avatar for Ben Edmunds benedmunds
0
220
Intro to Laravel 5
Avatar for Ben Edmunds benedmunds
1
490

Other Decks in Technology

See All in Technology
第64回コンピュータビジョン勉強会「The PanAf-FGBG Dataset: Understanding the Impact of Backgrounds in Wildlife Behaviour Recognition」
Avatar for Tatsuya Suzuki x_ttyszk
0
130
オーティファイ会社紹介資料 / Autify Company Deck
Avatar for Autify autifyhq
10
130k
助けて! XからWaylandに移行しないと新しいGNOMEが使えなくなっちゃう 2025-07-12
Avatar for Nobuto Murata nobutomurata
2
130
事例で学ぶ!B2B SaaSにおけるSREの実践例/SRE for B2B SaaS: A Real-World Case Study
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
1
270
対話型音声AIアプリケーションの信頼性向上の取り組み
Avatar for 株式会社IVRy(社員登壇資料) ivry_presentationmaterials
1
600
60以上のプロダクトを持つ組織における開発者体験向上への取り組み - チームAPIとBackstageで構築する組織の可視化基盤 - / sre next 2025 Efforts to Improve Developer Experience in an Organization with Over 60 Products
Avatar for VTRyo vtryo
2
630
DatabricksにOLTPデータベース『Lakebase』がやってきた!
Avatar for Takeru Ino inoutk
0
150
ソフトウェアテストのAI活用_ver1.25
Avatar for fumisuke fumisuke
1
510
Enhancing SaaS Product Reliability and Release Velocity through Optimized Testing Approach
Avatar for ropQa ropqa
1
250
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for danielconkling870 lufthanahelpsupport
0
230
Delegating the chores of authenticating users to Keycloak
Avatar for Alexander Schwartz ahus1
0
170
SREのためのeBPF活用ステップアップガイド
Avatar for Sohei Iwahori egmc
1
780

Featured

See All Featured
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
Avatar for Addy Osmani addyosmani
7
740
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
281
13k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.5k
Understanding Cognitive Biases in Performance Measurement
Avatar for Philip Tellis bluesmoon
29
1.8k
The Art of Delivering Value - GDevCon NA Keynote
Avatar for David Neal reverentgeek
15
1.6k
A Modern Web Designer's Workflow
Avatar for Chris Coyier chriscoyier
695
190k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
36
2.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
32
2.4k
Fantastic passwords and where to find them - at NoRuKo
Avatar for Phil Nash philnash
51
3.3k
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
179
9.8k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.9k
Imperfection Machines: The Place of Print at Facebook
Avatar for Scott Boms scottboms
267
13k

Transcript

  1. PHP modern & secure

  2. Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com

  3. Who is this guy? Ben Edmunds ! Open Source Author

    PHP Town Hall Podcast CTO at Mindfulware

  4. Welcome to the Future

  5. Welcome to the Future Exceptions Namespaces Closures

  6. Welcome to the Future Statics PDO Short Arrays Security

  7. Legit Tools

  8. Legit Tools Built-in Server Unit Testing Composer

  9. Welcome to! the Future

  10. Great Scott!

  11. Exceptions

  12. None

  13. Exceptions try { //your code goes here } catch (Exception

    $e) { die($e->getMessage()); }

  14. Exceptions try { //your code goes here } catch (Exception

    $e) { die($e->getMessage()); }

  15. Closures

  16. None

  17. Closures Route::get(‘/', function(){ return View::make(‘index'); ! });

  18. Closures Route::get(‘/', function(){ return View::make(‘index'); ! });

  19. Namespaces

  20. None

  21. Namespaces namespace Illuminate\Console; class Command { //…

  22. Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

  23. Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

  24. Statics

  25. None

  26. Statics Class Route { public static function get() { //…

    }

  27. Statics Route::get(); Class Route { public static function get() {

    //… }

  28. Statics Route::get(); Class Route { public static function get() {

    //… }

  29. Statics NO $this $var = self::varAtDefinition; ! $var = static::varAtExec;

  30. Short Array! Syntax

  31. None

  32. Short Array Syntax $array = array( 0 => ‘value1’, 1

    => ‘value2’, );

  33. Short Array Syntax $array = [ 0 => ‘value1’, 1

    => ‘value2’, ];

  34. Short Array Syntax $array = [ 0 => ‘value1’, 1

    => ‘value2’, ];

  35. PDO

  36. None

  37. PDO Cross System

  38. PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID

    Firebird Informix ODBC & DB2 4D

  39. PDO Cross System Safe Binding

  40. PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id

    ’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();

  41. Security

  42. Security SQL Injection HTTPS Password Hashing

  43. Security Authentication Safe Defaults XSS & CSRF

  44. None

  45. Security //escaping input $stmt->bindParam(‘:id’, $id);

  46. Security //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);

  47. Security HTTPS / SSL ! Encrypts traffic across the wire

    ! Trusted sender and receiver ! Required by OAUTH 2

  48. Security //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR

    YO’; }

  49. Security //authentication - brute force if ($user->loginAttempts > 5) {

    return ‘CAUGHT YA’; }

  50. Security //safe password hashing password_hash($_POST['pass']);

  51. Security //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);

  52. Security //safe defaults class Your Controller { protected $var1 =

    ‘default value’; ! function __construct() { … } }

  53. Security //safe defaults $something = false; ! foreach ($array as

    $k => $v) { $something = $v->foo; if ($something == ‘bar’) { … } }

  54. Security //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the link

    to someone, boom

  55. Security //Persistent XSS ! Same idea, except with data that

    is saved to the server and re-displayed

  56. Security //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !

  57. Security //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete !

    !

  58. Security //CSRF Protection ! POST / PUT / UPDATE /

    DELETE behind forms with one-time use tokens ! !

  59. Security //CSRF Protection ! function generateCsrf() { $token = mcrypt_create_iv(

    16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }

  60. Security //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken') )

    { … } !

  61. Legit Tools

  62. None

  63. Built-in ! Web Server

  64. Built-in Server $ php -S localhost:8000 ! PHP 5.4.0 Development

    Server started… Listening on localhost:8000 Document root is /home/ben/htdocs Press Ctrl-C to quit

  65. Composer

  66. Another Package Manager!?

  67. Composer Sane Package Management

  68. Composer Autoloading

  69. Composer PEAR, ha! packagist.org

  70. Composer / composer.json ! { "require": { "stripe/stripe-php": "dev-master", "twilio/sdk":

    "dev-master" } }

  71. Composer $ php composer.phar update $ php composer.phar install

  72. Composer $client = new Services_Twilio($sid, $tkn); ! $client->account ->messages ->sendMessage(…)

  73. Unit Testing

  74. None

  75. Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec

  76. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function

    testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());

  77. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function

    testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());

  78. Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian

    Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)

  79. Resources

  80. None

  81. Resources PHP.net

  82. Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura

    for PHP Silex

  83. Resources leanpub.com/ phptherightway PHPtheRightWay.com

  84. Resources BuildSecurePHPapps.com Coupon Code: codementor $3 off http://buildsecurephpapps.com/?coupon=codementor

  85. Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=codementor