Modern and Secure PHP (SoutheastPHP 2018)

PHP modern & secure

Who is this guy? Ben Edmunds Open Source Author PHP
Town Hall Podcast CTO at Mindfulware

Who is this guy? Ben Edmunds @benedmunds http://benedmunds.com

Welcome to the Future

Great Scott!

Welcome to the Future PDO Closures Namespaces

Welcome to the Future Anonymous Classes Traits Interfaces

Welcome to the Future Null Coalescing Scalar Type Hints Return
Type Declarations

Welcome to the Future Variadic Functions Authentication Password Hasing

Welcome to the Future SQL Injection HTTPS

Welcome to the Future Common Hacks

Legit Tools Built-in Server Composer Unit Testing

Standards PHP-FIG PSRs

Exceptions

Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }

Errors Exception implements Throwable Error implements Throwable

Errors try { //error thrown here } catch (Error $e)
{ die($e->getMessage()); }

Errors try { //error thrown here } catch (Error $e)
{ die($e->getMessage()); } catch (Exception $e) { die($e->getMessage()); }

Errors try { //err or excpt thrown here } catch
(Throwable $t) { die($t->getMessage()); }

Errors try { //error or excpt thrown here } catch
(Error | Exception $e) { die($e->getMessage()); }

Namespaces

Namespaces namespace Illuminate\Console; class Command { //…

Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

PDO Cross System Safe Binding

PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id
’); $stmt->bindParam(‘:id’, $id); $stmt->execute();

Traits

Traits // grouping without // strict inheritance trait baseUser {
function getName() { return ‘Jon Snow’; } }

Traits class adminUser { use baseUser; }

Traits $adminUser = new adminUser; echo $adminUser->getName(); //output = ‘Jon
Snow’

Traits trait Loggable { function log($msg) { echo $msg; }
}

Traits class Post { function get($id) { return $this->db->get($id); }
}

Traits class Post { use Loggable; function get($id) { $this->log('Getting
post ' . $id); return $this->db->get($id); } }

Traits $postModel = new Post; $myPost = $postModel->get(1); //output =
‘Getting post 1’

Traits class Post extends Model { use SoftDeletes; }

Interfaces

Interface Class myLogger { public function log($msg) { echo $msg;
} }

Interface interface Logger { public function log($msg); }

Interface Class myLogger implements Logger { public function log($msg) {
echo $msg; } }

Closures

Closures Route::get(‘/', function(){ return View::make(‘index'); });

Closures $input = [1, 2, 3, 4, 5, 6, 7,
8]; $output = array_ﬁlter($input, function($v){ return $v > 5; }); // [6,7,8]

Closures $input = [1, 2, 3, 4, 5, 6, 7,
8]; $output = array_map(function($n){ return number_format($n * 10, 2) . '%'; }, array_ﬁlter($input, function($v){ return $v > 5; })); // ['60.00%', '70.00%', '80.00%']

Anonymous Classes

Anonymous Classes trait Loggable { function log($msg) { echo $msg;
} }

Anonymous Classes interface Logger { public function log($msg); }

Anonymous Classes trait Loggable { protected $logger; function setLogger(Logger $logger)
{ $this->logger = $logger; } function log($msg) { $this->logger->log($msg); } }

Anonymous Classes class Post { use Loggable; } $post =
new Post;

Anonymous Classes class Post { use Loggable; } $post =
new Post; $post->setLogger( new class implements Logger { public function log($msg) { echo date('m/d G:i') . ': ' .$msg; } });

Anonymous Classes $postModel = new Post; $myPost = $postModel->get(1); //output
= ‘09/08 16:20: Getting post 1’

Null Coalescing Operator

Null Coalescing $val = isset($_GET[‘val’]) ? $_GET[‘val’] : 'default';

Null Coalescing $val = $_GET['val'] ?? 'default';

Types!

Scalar Type Hinting

Types declare(strict_types=1); function addNums(ﬂoat $a, ﬂoat $b) { return $a
+ $b; }

Types declare(strict_types=1); function addNums(float $a, float $b) { return $a
+ $b; } addNums(2, "1 week"); // Fatal error: Uncaught TypeError: Argument 2 passed to addNums() must be of the type float, string given

Types function addNums(float $a, float $b) addNums(2, "1 week”); //
Fatal error: Uncaught TypeError: Argument 2 passed to addNums() must be of the type float, string given

Types try { addNums(2, "1 week”); } catch(TypeError $e) {}

Types try { addNums(2, 1); } catch(TypeError $e) {} //3

Types class/interface array callable bool ﬂoat int string object

Return Type Declarations

Types function addNums(ﬂoat $a, ﬂoat $b) : int { return
$a + $b; }

Types function addNums($a, $b) : int { return $a +
$b; } addNums(1.5, 1); // Fatal error: Uncaught TypeError: Return value of addNums() must be of the type integer, ﬂoat returned

Types function addNums(ﬂoat $a, ?ﬂoat $b) : int { return
$a + $b??0; } addNums(1, null); // int(1)

Types function addNums(ﬂoat $a, ?ﬂoat $b) : ?int { return
$a + $b??0; } addNums(1, null); // int(1)

Types public function log($msg) : void { Logger::write($msg); }

Variadic Functions

Scalar Types function addNums(ﬂoat $a, ﬂoat $b) : int {
return $a + $b; }

Variadic Functions function addNums(...$numbers) : int { return array_sum($numbers); }
addNums(1, 2, 3, 4); // int(10)

Variadic Functions function addNums(ﬂoat …$numbers) : int { return array_sum($numbers);
} addNums(1, 2, 3, 4); // int(10)

Security

HTTPS Encrypts traﬃc across the wire Trusted send and receiver
Required by OAUTH 2

HTTPS https://letsencrypt.org/

Authentication

Security //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR
YO’; }

Security //authentication - brute force if ($user->loginAttempts > 5) {
return ‘CAUGHT YA’; }

Passwords

Passwords //safe password hashing password_hash($_POST['pass'], ALGO);

Passwords //safe password hashing password_hash($_POST['pass'], ALGO); //password veriﬁcation password_verify($_POST['pass'], $u->pass);

Passwords //safe password hashing password_hash($_POST['pass'], ALGO); //password veriﬁcation password_verify($_POST['pass'], $u->pass);
//password rehashing password_needs_rehash($u->pass, ALGO);

Passwords if (password_verify($_POST['pass'], $u->pass)) { if (password_needs_rehash( $u->pass, PASSWORD_DEFAULT ))
{ $u->pass = password_hash( $_POST['pass'], PASSWORD_DEFAULT ); $u->save();

Safe Defaults

Security //safe defaults class Your Controller { protected $var1 =
‘default value’; function __construct() { … } }

Security //safe defaults $something = false; foreach ($array as $k
=> $v) { $something = $v->foo; if ($something == ‘bar’) { … } }

Security function addNums(ﬂoat $a, ﬂoat $b) : int { return
$a + $b; } $something = []; foreach ($array as $v) { $something[] = addNums($v[0], $v[1]) }

Common Hacks

Security //Non-Persistent XSS http://www.yourSite.com/ ?page_num=2&per_page=50 Send the link to someone,
boom

Security //Persistent XSS Same idea, except with data that is
saved to the server and re-displayed

Security //escaping input $stmt->bindParam(‘:id’, $id);

Security //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);

Security //escaping input Class myModel extend Model { function save($id)
{ $stmt = $this->query->insert(); $stmt->bindParam(‘:id’, $id); $stmt->execute(); } }

Security //escaping output <h1>Title</h1> Hello <?=htmlentities($name)?>

Security //Cross Site Request Forgery //(CSRF) http://yourSite.com/ users/12/delete

Security //CSRF Protection POST / PUT / UPDATE / DELETE
behind forms with one-time use tokens

Security //CSRF Protection function generateCsrf() { $token = mcrypt_create_iv( 16,
MCRYPT_DEV_URANDOM); Session::ﬂash('csrfToken', $token); return $token; }

Security //CSRF Protection function generateCsrf() { $token = bin2hex(random_bytes(16)); Session::ﬂash('csrfToken',
$token); return $token; }

Security //CSRF Protection if ( $_POST['token'] == Session::get(‘csrfToken') ) {
… }

Legit Tools

Built-in Web Server

Built-in Server $ php -S localhost:8000 PHP 5.7.0 Development Server
started… Listening on localhost:8000 Document root is /home/ben/htdocs Press Ctrl-C to quit

Composer

Another Package Manager!?

Composer Sane Package Management Autoloading via PSR4

Composer / composer.json { "require": { "stripe/stripe-php": "dev-master", "twilio/sdk": "dev-master"
} }

Composer $ php composer.phar install -> composer.lock

Composer $ php composer.phar install -> composer.lock Commit it ^

Composer $ php composer.phar install /composer.lock

Composer $ php composer.phar update /composer.json

Composer $client = new Services_Twilio($sid, $tkn); $client->account ->messages ->sendMessage(…)

Unit Testing

Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec

Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { public function testVerify()
{ $auth = new apiAuth(); $this->assertTrue($auth->verify());

Unit Testing $ phpunit tests PHPUnit 3.3.17 by Sebastian Bergmann.
Time: 0.01 seconds OK (1 tests, 1 assertions)

Standards

Standards PHP-FIG Framework Interop Group

Standards Member Projects Zend Symfony CakePHP Magento Joomla Drupal

Standards PSRs PHP Standards Recommendation

Standards PSRs Autoloading Interfaces Style Guides

Standards PSRs PSR-4: Autoloading PSR-1: Basic Coding Standards PSR-2: Coding
Style Guide PSR-7: HTTP Message Interface PSR-6: Caching Interface PSR-3: Logger Interface

Resources

Resources PHP.net

Resources Modern Frameworks Laravel Symfony2 SlimPHP Cake PHP

Resources leanpub.com/ phptherightway PHPtheRightWay.com

Resources Give Me $$$ SecuringPhpApps.com SecuringNodeApps.com

Q/A TIME! https://joind.in/talk/83929 Ben Edmunds @benedmunds

Modern and Secure PHP (SoutheastPHP 2018)

Modern and Secure PHP (SoutheastPHP 2018)

More Decks by Ben Edmunds

Other Decks in Technology

Featured

Transcript