Modern & Secure PHP Applications

Transcript

1. PHP modern & secure

2. Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com

3. Who is this guy? Ben Edmunds ! Open Source Author

   PHP Town Hall Podcast CTO at Mindfulware

4. Welcome to the Future

5. Welcome to the Future Exceptions Namespaces Closures

6. Welcome to the Future Statics PDO Short Arrays Security

7. Legit Tools

8. Legit Tools Built-in Server Unit Testing Composer

9. Welcome to! the Future

10. Great Scott!

11. Exceptions

12. None

13. Exceptions try { //your code goes here } catch (Exception

    $e) { die($e->getMessage()); }

14. Exceptions try { //your code goes here } catch (Exception

    $e) { die($e->getMessage()); }

15. Closures

16. None

17. Closures Route::get(‘/', function(){ return View::make(‘index'); ! });

18. Closures Route::get(‘/', function(){ return View::make(‘index'); ! });

19. Namespaces

20. None

21. Namespaces namespace Illuminate\Console; class Command { //…

22. Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

23. Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

24. Statics

25. None

26. Statics Class Route { public static function get() { //…

    }

27. Statics Route::get(); Class Route { public static function get() {

    //… }

28. Statics Route::get(); Class Route { public static function get() {

    //… }

29. Statics NO $this $var = self::varAtDefinition; ! $var = static::varAtExec;

30. Short Array! Syntax

31. None

32. Short Array Syntax $array = array( 0 => ‘value1’, 1

    => ‘value2’, );

33. Short Array Syntax $array = [ 0 => ‘value1’, 1

    => ‘value2’, ];

34. Short Array Syntax $array = [ 0 => ‘value1’, 1

    => ‘value2’, ];

35. PDO

36. None

37. PDO Cross System

38. PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID

    Firebird Informix ODBC & DB2 4D

39. PDO Cross System Safe Binding

40. PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id

    ’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();

41. Security

42. Security SQL Injection HTTPS Password Hashing

43. Security Authentication Safe Defaults XSS & CSRF

44. None

45. Security //escaping input $stmt->bindParam(‘:id’, $id);

46. Security //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);

47. Security HTTPS / SSL ! Encrypts traffic across the wire

    ! Trusted sender and receiver ! Required by OAUTH 2

48. Security //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR

    YO’; }

49. Security //authentication - brute force if ($user->loginAttempts > 5) {

    return ‘CAUGHT YA’; }

50. Security //safe password hashing password_hash($_POST['pass']);

51. Security //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);

52. Security //safe defaults class Your Controller { protected $var1 =

    ‘default value’; ! function __construct() { … } }

53. Security //safe defaults $something = false; ! foreach ($array as

    $k => $v) { $something = $v->foo; if ($something == ‘bar’) { … } }

54. Security //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the link

    to someone, boom

55. Security //Persistent XSS ! Same idea, except with data that

    is saved to the server and re-displayed

56. Security //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !

57. Security //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete !

    !

58. Security //CSRF Protection ! POST / PUT / UPDATE /

    DELETE behind forms with one-time use tokens ! !

59. Security //CSRF Protection ! function generateCsrf() { $token = mcrypt_create_iv(

    16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }

60. Security //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken') )

    { … } !

61. Legit Tools

62. None

63. Built-in ! Web Server

64. Built-in Server $ php -S localhost:8000 ! PHP 5.4.0 Development

    Server started… Listening on localhost:8000 Document root is /home/ben/htdocs Press Ctrl-C to quit

65. Composer

66. Another Package Manager!?

67. Composer Sane Package Management

68. Composer Autoloading

69. Composer PEAR, ha! packagist.org

70. Composer / composer.json ! { "require": { "stripe/stripe-php": "dev-master", "twilio/sdk":

    "dev-master" } }

71. Composer $ php composer.phar update $ php composer.phar install

72. Composer $client = new Services_Twilio($sid, $tkn); ! $client->account ->messages ->sendMessage(…)

73. Unit Testing

74. None

75. Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec

76. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function

    testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());

77. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function

    testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());

78. Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian

    Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)

79. Resources

80. None

81. Resources PHP.net

82. Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura

    for PHP Silex

83. Resources leanpub.com/ phptherightway PHPtheRightWay.com

84. Resources BuildSecurePHPapps.com Coupon Code: codementor $3 off http://buildsecurephpapps.com/?coupon=codementor

85. Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=codementor