Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Modern & Secure PHP Applications
Search
Ben Edmunds
August 12, 2014
Technology
2
110
Modern & Secure PHP Applications
What's new in PHP along with a focus on building secure apps. Presented on CodeMentor 08/12/2014.
Ben Edmunds
August 12, 2014
Tweet
Share
More Decks by Ben Edmunds
See All by Ben Edmunds
Longhorn PHP 2021 - Passing the Technical Interview Workshop
benedmunds
0
120
DevOpsDays Boston 2020 - Passing the Technical Interview
benedmunds
0
62
Midwest PHP 2020 - Web Scale System Design and Architecture
benedmunds
1
140
Modern and Secure PHP (SoutheastPHP 2018)
benedmunds
0
98
Level Up Your Career - PHP South Africa Keynote
benedmunds
0
860
Modern PHP, Standards, and Community (phpDay 2017)
benedmunds
1
840
Lone Star PHP 2017 - More Than Just a Hammer
benedmunds
0
500
Lone Star PHP 2017 - Your API is Bad and You Should Feel Bad
benedmunds
0
220
Intro to Laravel 5
benedmunds
1
490
Other Decks in Technology
See All in Technology
第64回コンピュータビジョン勉強会「The PanAf-FGBG Dataset: Understanding the Impact of Backgrounds in Wildlife Behaviour Recognition」
x_ttyszk
0
130
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
10
130k
助けて! XからWaylandに移行しないと新しいGNOMEが使えなくなっちゃう 2025-07-12
nobutomurata
2
130
事例で学ぶ!B2B SaaSにおけるSREの実践例/SRE for B2B SaaS: A Real-World Case Study
bitkey
1
270
対話型音声AIアプリケーションの信頼性向上の取り組み
ivry_presentationmaterials
1
600
60以上のプロダクトを持つ組織における開発者体験向上への取り組み - チームAPIとBackstageで構築する組織の可視化基盤 - / sre next 2025 Efforts to Improve Developer Experience in an Organization with Over 60 Products
vtryo
2
630
DatabricksにOLTPデータベース『Lakebase』がやってきた!
inoutk
0
150
ソフトウェアテストのAI活用_ver1.25
fumisuke
1
510
Enhancing SaaS Product Reliability and Release Velocity through Optimized Testing Approach
ropqa
1
250
Lufthansa ®️ USA Contact Numbers: Complete 2025 Support Guide
lufthanahelpsupport
0
230
Delegating the chores of authenticating users to Keycloak
ahus1
0
170
SREのためのeBPF活用ステップアップガイド
egmc
1
780
Featured
See All Featured
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
7
740
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
281
13k
The Cult of Friendly URLs
andyhume
79
6.5k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.8k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
A Modern Web Designer's Workflow
chriscoyier
695
190k
Build The Right Thing And Hit Your Dates
maggiecrowley
36
2.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.4k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
For a Future-Friendly Web
brad_frost
179
9.8k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.9k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Transcript
PHP modern & secure
Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com
Who is this guy? Ben Edmunds ! Open Source Author
PHP Town Hall Podcast CTO at Mindfulware
Welcome to the Future
Welcome to the Future Exceptions Namespaces Closures
Welcome to the Future Statics PDO Short Arrays Security
Legit Tools
Legit Tools Built-in Server Unit Testing Composer
Welcome to! the Future
Great Scott!
Exceptions
None
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
Closures
None
Closures Route::get(‘/', function(){ return View::make(‘index'); ! });
Closures Route::get(‘/', function(){ return View::make(‘index'); ! });
Namespaces
None
Namespaces namespace Illuminate\Console; class Command { //…
Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…
Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…
Statics
None
Statics Class Route { public static function get() { //…
}
Statics Route::get(); Class Route { public static function get() {
//… }
Statics Route::get(); Class Route { public static function get() {
//… }
Statics NO $this $var = self::varAtDefinition; ! $var = static::varAtExec;
Short Array! Syntax
None
Short Array Syntax $array = array( 0 => ‘value1’, 1
=> ‘value2’, );
Short Array Syntax $array = [ 0 => ‘value1’, 1
=> ‘value2’, ];
Short Array Syntax $array = [ 0 => ‘value1’, 1
=> ‘value2’, ];
PDO
None
PDO Cross System
PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID
Firebird Informix ODBC & DB2 4D
PDO Cross System Safe Binding
PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id
’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();
Security
Security SQL Injection HTTPS Password Hashing
Security Authentication Safe Defaults XSS & CSRF
None
Security //escaping input $stmt->bindParam(‘:id’, $id);
Security //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);
Security HTTPS / SSL ! Encrypts traffic across the wire
! Trusted sender and receiver ! Required by OAUTH 2
Security //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR
YO’; }
Security //authentication - brute force if ($user->loginAttempts > 5) {
return ‘CAUGHT YA’; }
Security //safe password hashing password_hash($_POST['pass']);
Security //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);
Security //safe defaults class Your Controller { protected $var1 =
‘default value’; ! function __construct() { … } }
Security //safe defaults $something = false; ! foreach ($array as
$k => $v) { $something = $v->foo; if ($something == ‘bar’) { … } }
Security //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the link
to someone, boom
Security //Persistent XSS ! Same idea, except with data that
is saved to the server and re-displayed
Security //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !
Security //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete !
!
Security //CSRF Protection ! POST / PUT / UPDATE /
DELETE behind forms with one-time use tokens ! !
Security //CSRF Protection ! function generateCsrf() { $token = mcrypt_create_iv(
16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }
Security //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken') )
{ … } !
Legit Tools
None
Built-in ! Web Server
Built-in Server $ php -S localhost:8000 ! PHP 5.4.0 Development
Server started… Listening on localhost:8000 Document root is /home/ben/htdocs Press Ctrl-C to quit
Composer
Another Package Manager!?
Composer Sane Package Management
Composer Autoloading
Composer PEAR, ha! packagist.org
Composer / composer.json ! { "require": { "stripe/stripe-php": "dev-master", "twilio/sdk":
"dev-master" } }
Composer $ php composer.phar update $ php composer.phar install
Composer $client = new Services_Twilio($sid, $tkn); ! $client->account ->messages ->sendMessage(…)
Unit Testing
None
Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian
Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)
Resources
None
Resources PHP.net
Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura
for PHP Silex
Resources leanpub.com/ phptherightway PHPtheRightWay.com
Resources BuildSecurePHPapps.com Coupon Code: codementor $3 off http://buildsecurephpapps.com/?coupon=codementor
Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=codementor