Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHPNE 2014 - Modern and Secure PHP

Ben Edmunds
September 07, 2014
Technology
1
290

PHPNE 2014 - Modern and Secure PHP

This is not the PHP of old. Learn what's changed in the PHP world over the last few years. Classes, objects, statics, traits, unit testing, composer, password hashing; it's a whole new ballgame.

Learn what has changed in the PHP world over the last several years. We'll cover
The newest PHP language features.
Community efforts such as the PHP Framework Interoperability Group, Composer, and PHP the Right Way.
How to secure your application using up to date techniques.

Ben Edmunds

September 07, 2014
Tweet

More Decks by Ben Edmunds

See All by Ben Edmunds
Longhorn PHP 2021 - Passing the Technical Interview Workshop
benedmunds
0
55
DevOpsDays Boston 2020 - Passing the Technical Interview
benedmunds
0
38
Midwest PHP 2020 - Web Scale System Design and Architecture
benedmunds
1
70
Modern and Secure PHP (SoutheastPHP 2018)
benedmunds
0
65
Level Up Your Career - PHP South Africa Keynote
benedmunds
0
600
Modern PHP, Standards, and Community (phpDay 2017)
benedmunds
1
510
Lone Star PHP 2017 - More Than Just a Hammer
benedmunds
0
350
Lone Star PHP 2017 - Your API is Bad and You Should Feel Bad
benedmunds
0
140
Intro to Laravel 5
benedmunds
1
400

Other Decks in Technology

See All in Technology
RedMica 2.3 (2023-05) 新機能ハイライト およびRedmineの2023年5月までの半年間の主要な開発成果
vividtone
0
330
APIによるレガシーシステムの改善
techtekt
0
190
データマイニングと機械学習 - ニューラルネットワーク
trycycle
0
170
WWDC「間」を復習しよう
line_developers
PRO
0
420
Web Intelligence and Visual Media Analytics
weblyzard
PRO
1
3.3k
k6による負荷試験 入門から実践まで
fujiwara3
3
1.2k
Go1.20からサポートされるtree構造のerrの紹介と、treeを考慮した複数マッチができるライブラリを作った話/introduction of tree structure err added since go 1_20
convto
0
230
Romi チームの OpenSearchのコスト最適化事例

mixi_engineers
PRO
0
240
Princess APIのAPIクライアントをTypeScriptで作ってnpmで公開してみた
ohmori_yusuke
1
560
dx_osarai_about_connection
hatahata021
0
440
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
1
2.7k
JBM: General JVM blocking monitor powered by eBPF and async-profiler
line_developers
PRO
1
110

Featured

See All Featured
Ruby is Unlike a Banana
tanoku
93
9.7k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Code Reviewing Like a Champion
maltzj
508
38k
A Tale of Four Properties
chriscoyier
149
21k
BBQ
matthewcrist
75
8.3k
Gamification - CAS2011
davidbonilla
75
4.2k
Rebuilding a faster, lazier Slack
samanthasiow
70
7.7k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
17k
Raft: Consensus for Rubyists
vanstee
130
5.8k
Practical Orchestrator
shlominoach
179
9.2k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
239
19k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
35
9.7k

Transcript

  1. PHP
    modern
    & secure

    View Slide

  2. Who is this guy?
    Ben Edmunds

    !
    @benedmunds

    http://benedmunds.com

    View Slide

  3. Who is this guy?
    Ben Edmunds

    !
    Open Source

    Author

    PHP Town Hall Podcast

    CTO at Mindfulware

    View Slide

  4. Welcome to
    the Future

    View Slide

  5. Welcome to the Future
    Exceptions
    Namespaces
    Closures

    View Slide

  6. Welcome to the Future
    Statics
    PDO
    Short Arrays
    Security

    View Slide

  7. Legit Tools

    View Slide

  8. Legit Tools
    Built-in Server
    Unit Testing
    Composer

    View Slide

  9. Welcome to!
    the Future

    View Slide

  10. Great Scott!

    View Slide

  11. Exceptions

    View Slide

  12. View Slide

  13. Exceptions
    try {

    //your code goes here

    }

    catch (Exception $e) {

    die($e->getMessage());

    }

    View Slide

  14. Exceptions
    try {

    //your code goes here

    }

    catch (Exception $e) {

    die($e->getMessage());

    }

    View Slide

  15. Closures

    View Slide

  16. View Slide

  17. Closures
    Route::get(‘/', function(){



    return View::make(‘index');

    !
    });

    View Slide

  18. Closures
    Route::get(‘/', function(){



    return View::make(‘index');

    !
    });

    View Slide

  19. Namespaces

    View Slide

  20. View Slide

  21. Namespaces
    namespace Illuminate\Console;

    class Command

    {

    //…

    View Slide

  22. Namespaces
    use Illuminate\Console\Command;
    namespace Illuminate\Console;

    class Command

    {

    //…

    View Slide

  23. Namespaces
    use Illuminate\Console\Command;
    namespace Illuminate\Console;

    class Command

    {

    //…

    View Slide

  24. Statics

    View Slide

  25. View Slide

  26. Statics
    Class Route {

    public static function get() {

    //…

    }

    View Slide

  27. Statics
    Route::get();
    Class Route {

    public static function get() {

    //…

    }

    View Slide

  28. Statics
    Route::get();
    Class Route {

    public static function get() {

    //…

    }

    View Slide

  29. Statics
    NO $this



    $var = self::varAtDefinition;

    !
    $var = static::varAtExec;

    View Slide

  30. Short Array!
    Syntax

    View Slide

  31. View Slide

  32. Short Array Syntax
    $array = array(

    0 => ‘value1’,

    1 => ‘value2’,

    );

    View Slide

  33. Short Array Syntax
    $array = [

    0 => ‘value1’,

    1 => ‘value2’,

    ];

    View Slide

  34. Short Array Syntax
    $array = [

    0 => ‘value1’,

    1 => ‘value2’,

    ];

    View Slide

  35. Traits

    View Slide

  36. Traits
    // grouping without

    // strict inheritance

    trait baseUser {

    function getName() {

    return ‘Jon Snow’;

    }

    }

    View Slide

  37. Traits
    class adminUser {

    use baseUser;

    }

    View Slide

  38. Traits
    $adminUser = new adminUser;

    !
    echo $adminUser->getName();

    !
    //output = ‘Jon Snow’

    View Slide

  39. PDO

    View Slide

  40. View Slide

  41. PDO
    Cross System

    View Slide

  42. PDO
    Cross System
    MS SQL

    MySQL

    Oracle

    PostgreSQL

    SQLite
    CUBRID

    Firebird

    Informix

    ODBC & DB2

    4D

    View Slide

  43. PDO
    Cross System
    Safe Binding

    View Slide

  44. PDO
    $stmt = $db->prepare(‘

    SELECT * FROM users

    WHERE id=:id

    ’);

    !
    $stmt->bindParam(‘:id’, $id);

    $stmt->execute();

    View Slide

  45. Security

    View Slide

  46. Security
    SQL Injection
    HTTPS
    Password Hashing

    View Slide

  47. Security
    Authentication
    Safe Defaults
    XSS & CSRF

    View Slide

  48. View Slide

  49. Security
    //escaping input

    $stmt->bindParam(‘:id’, $id);

    View Slide

  50. Security
    //escaping input

    $stmt->bindParam(‘:id’, $id);
    //escaping output

    htmlentities($_POST[‘name’]);

    View Slide

  51. Security
    HTTPS / SSL

    !
    Encrypts traffic across the wire

    !
    Trusted sender and receiver

    !
    Required by OAUTH 2

    View Slide

  52. Security
    //authentication - access control

    if (!$user->inGroup(‘admin’)) {

    return ‘ERROR YO’;

    }

    View Slide

  53. Security
    //authentication - brute force

    if ($user->loginAttempts > 5) {

    return ‘CAUGHT YA’;

    }

    View Slide

  54. Security
    //safe password hashing

    password_hash($_POST['pass']);

    View Slide

  55. Security
    //safe password hashing

    password_hash($_POST['pass']);
    //password verification

    password_verify($_POST['pass'], $u->pass);

    View Slide

  56. Security
    //safe defaults

    class Your Controller {

    protected $var1 = ‘default value’;

    !
    function __construct() { … }

    }

    View Slide

  57. Security
    //safe defaults

    $something = false;

    !
    foreach ($array as $k => $v) {

    $something = $v->foo;

    if ($something == ‘bar’) { … }

    }

    View Slide

  58. Security
    //Non-Persistent XSS

    !
    http://www.yourSite.com/

    ?page_num=2&per_page=50

    !
    Send the link to someone, boom


    View Slide

  59. Security
    //Persistent XSS

    !
    Same idea, except with data that is
    saved to the server and

    re-displayed


    View Slide

  60. Security
    //XSS Protection

    !
    Title

    Hello =htmlentities($name)?>

    !
    !

    View Slide

  61. Security
    //Cross Site Request Forgery

    //(CSRF)

    !
    http://yourSite.com/

    users/12/delete

    !
    !

    View Slide

  62. Security
    //CSRF Protection

    !
    POST / PUT / UPDATE / DELETE

    behind forms with one-time use
    tokens

    !
    !

    View Slide

  63. Security
    //CSRF Protection

    !
    function generateCsrf() {

    $token = mcrypt_create_iv(

    16, MCRYPT_DEV_URANDOM);

    Session::flash('csrfToken', $token);

    return $token;

    }

    View Slide

  64. Security
    //CSRF Protection

    !
    if (

    $_POST['token'] == Session::get(‘csrfToken')

    ) { … }

    !

    View Slide

  65. Legit Tools

    View Slide

  66. View Slide

  67. Built-in !
    Web Server

    View Slide

  68. Built-in Server
    $ php -S localhost:8000

    !
    PHP 5.4.0 Development Server started…
    Listening on localhost:8000

    Document root is /home/ben/htdocs

    Press Ctrl-C to quit

    View Slide

  69. Composer

    View Slide

  70. Another
    Package Manager!?

    View Slide

  71. Composer
    Sane Package

    Management

    View Slide

  72. Composer
    Autoloading

    View Slide

  73. Composer
    PEAR, ha!
    packagist.org

    View Slide

  74. Composer
    / composer.json

    !
    {

    "require": {

    "stripe/stripe-php": "dev-master",

    "twilio/sdk": "dev-master"

    }

    }

    View Slide

  75. Composer
    $ php composer.phar update
    $ php composer.phar install

    View Slide

  76. Composer
    $client =

    new Services_Twilio($sid, $tkn);
    !
    $client->account

    ->messages

    ->sendMessage(…)

    View Slide

  77. Unit Testing

    View Slide

  78. View Slide

  79. Unit Testing
    PHPUnit

    Behat

    Mink
    Selenium

    CodeCeption

    PHPSpec

    View Slide

  80. Unit Testing
    class ApiAuthTest extends PHPUnit_Framework_TestCase {

    !
    public function testVerify() {

    !
    $auth = new apiAuth();



    $this->assertTrue($auth->verify());

    View Slide

  81. Unit Testing
    class ApiAuthTest extends PHPUnit_Framework_TestCase {

    !
    public function testVerify() {

    !
    $auth = new apiAuth();



    $this->assertTrue($auth->verify());

    View Slide

  82. Unit Testing
    $ phpunit tests

    !
    PHPUnit 3.3.17 by Sebastian Bergmann.

    Time: 0.01 seconds

    OK (1 tests, 1 assertions)

    View Slide

  83. Resources

    View Slide

  84. View Slide

  85. Resources
    PHP.net

    View Slide

  86. Resources
    Modern Frameworks
    Laravel

    Symfony2

    Fuel PHP
    SlimPHP 2

    Aura for PHP

    Silex

    View Slide

  87. Resources
    leanpub.com/

    phptherightway
    PHPtheRightWay.com

    View Slide

  88. Resources
    BuildSecurePHPapps.com
    Coupon Code:

    nephp
    $3 off
    http://buildsecurephpapps.com/?coupon=nephp

    View Slide

  89. Q/A TIME!
    Ben Edmunds

    @benedmunds

    http://benedmunds.com
    http://buildsecurephpapps.com/?coupon=nephp

    View Slide