Upgrade to Pro — share decks privately, control downloads, hide ads and more …

PHPNE 2014 - Modern and Secure PHP

Ben Edmunds
September 07, 2014

PHPNE 2014 - Modern and Secure PHP

This is not the PHP of old. Learn what's changed in the PHP world over the last few years. Classes, objects, statics, traits, unit testing, composer, password hashing; it's a whole new ballgame.

Learn what has changed in the PHP world over the last several years. We'll cover
The newest PHP language features.
Community efforts such as the PHP Framework Interoperability Group, Composer, and PHP the Right Way.
How to secure your application using up to date techniques.

Ben Edmunds

September 07, 2014
Tweet

More Decks by Ben Edmunds

Other Decks in Technology

Transcript

  1. PHP
    modern
    & secure

    View Slide

  2. Who is this guy?
    Ben Edmunds

    !
    @benedmunds

    http://benedmunds.com

    View Slide

  3. Who is this guy?
    Ben Edmunds

    !
    Open Source

    Author

    PHP Town Hall Podcast

    CTO at Mindfulware

    View Slide

  4. Welcome to
    the Future

    View Slide

  5. Welcome to the Future
    Exceptions
    Namespaces
    Closures

    View Slide

  6. Welcome to the Future
    Statics
    PDO
    Short Arrays
    Security

    View Slide

  7. Legit Tools

    View Slide

  8. Legit Tools
    Built-in Server
    Unit Testing
    Composer

    View Slide

  9. Welcome to!
    the Future

    View Slide

  10. Great Scott!

    View Slide

  11. Exceptions

    View Slide

  12. View Slide

  13. Exceptions
    try {

    //your code goes here

    }

    catch (Exception $e) {

    die($e->getMessage());

    }

    View Slide

  14. Exceptions
    try {

    //your code goes here

    }

    catch (Exception $e) {

    die($e->getMessage());

    }

    View Slide

  15. Closures

    View Slide

  16. View Slide

  17. Closures
    Route::get(‘/', function(){



    return View::make(‘index');

    !
    });

    View Slide

  18. Closures
    Route::get(‘/', function(){



    return View::make(‘index');

    !
    });

    View Slide

  19. Namespaces

    View Slide

  20. View Slide

  21. Namespaces
    namespace Illuminate\Console;

    class Command

    {

    //…

    View Slide

  22. Namespaces
    use Illuminate\Console\Command;
    namespace Illuminate\Console;

    class Command

    {

    //…

    View Slide

  23. Namespaces
    use Illuminate\Console\Command;
    namespace Illuminate\Console;

    class Command

    {

    //…

    View Slide

  24. Statics

    View Slide

  25. View Slide

  26. Statics
    Class Route {

    public static function get() {

    //…

    }

    View Slide

  27. Statics
    Route::get();
    Class Route {

    public static function get() {

    //…

    }

    View Slide

  28. Statics
    Route::get();
    Class Route {

    public static function get() {

    //…

    }

    View Slide

  29. Statics
    NO $this



    $var = self::varAtDefinition;

    !
    $var = static::varAtExec;

    View Slide

  30. Short Array!
    Syntax

    View Slide

  31. View Slide

  32. Short Array Syntax
    $array = array(

    0 => ‘value1’,

    1 => ‘value2’,

    );

    View Slide

  33. Short Array Syntax
    $array = [

    0 => ‘value1’,

    1 => ‘value2’,

    ];

    View Slide

  34. Short Array Syntax
    $array = [

    0 => ‘value1’,

    1 => ‘value2’,

    ];

    View Slide

  35. Traits

    View Slide

  36. Traits
    // grouping without

    // strict inheritance

    trait baseUser {

    function getName() {

    return ‘Jon Snow’;

    }

    }

    View Slide

  37. Traits
    class adminUser {

    use baseUser;

    }

    View Slide

  38. Traits
    $adminUser = new adminUser;

    !
    echo $adminUser->getName();

    !
    //output = ‘Jon Snow’

    View Slide

  39. PDO

    View Slide

  40. View Slide

  41. PDO
    Cross System

    View Slide

  42. PDO
    Cross System
    MS SQL

    MySQL

    Oracle

    PostgreSQL

    SQLite
    CUBRID

    Firebird

    Informix

    ODBC & DB2

    4D

    View Slide

  43. PDO
    Cross System
    Safe Binding

    View Slide

  44. PDO
    $stmt = $db->prepare(‘

    SELECT * FROM users

    WHERE id=:id

    ’);

    !
    $stmt->bindParam(‘:id’, $id);

    $stmt->execute();

    View Slide

  45. Security

    View Slide

  46. Security
    SQL Injection
    HTTPS
    Password Hashing

    View Slide

  47. Security
    Authentication
    Safe Defaults
    XSS & CSRF

    View Slide

  48. View Slide

  49. Security
    //escaping input

    $stmt->bindParam(‘:id’, $id);

    View Slide

  50. Security
    //escaping input

    $stmt->bindParam(‘:id’, $id);
    //escaping output

    htmlentities($_POST[‘name’]);

    View Slide

  51. Security
    HTTPS / SSL

    !
    Encrypts traffic across the wire

    !
    Trusted sender and receiver

    !
    Required by OAUTH 2

    View Slide

  52. Security
    //authentication - access control

    if (!$user->inGroup(‘admin’)) {

    return ‘ERROR YO’;

    }

    View Slide

  53. Security
    //authentication - brute force

    if ($user->loginAttempts > 5) {

    return ‘CAUGHT YA’;

    }

    View Slide

  54. Security
    //safe password hashing

    password_hash($_POST['pass']);

    View Slide

  55. Security
    //safe password hashing

    password_hash($_POST['pass']);
    //password verification

    password_verify($_POST['pass'], $u->pass);

    View Slide

  56. Security
    //safe defaults

    class Your Controller {

    protected $var1 = ‘default value’;

    !
    function __construct() { … }

    }

    View Slide

  57. Security
    //safe defaults

    $something = false;

    !
    foreach ($array as $k => $v) {

    $something = $v->foo;

    if ($something == ‘bar’) { … }

    }

    View Slide

  58. Security
    //Non-Persistent XSS

    !
    http://www.yourSite.com/

    ?page_num=2&per_page=50

    !
    Send the link to someone, boom


    View Slide

  59. Security
    //Persistent XSS

    !
    Same idea, except with data that is
    saved to the server and

    re-displayed


    View Slide

  60. Security
    //XSS Protection

    !
    Title

    Hello =htmlentities($name)?>

    !
    !

    View Slide

  61. Security
    //Cross Site Request Forgery

    //(CSRF)

    !
    http://yourSite.com/

    users/12/delete

    !
    !

    View Slide

  62. Security
    //CSRF Protection

    !
    POST / PUT / UPDATE / DELETE

    behind forms with one-time use
    tokens

    !
    !

    View Slide

  63. Security
    //CSRF Protection

    !
    function generateCsrf() {

    $token = mcrypt_create_iv(

    16, MCRYPT_DEV_URANDOM);

    Session::flash('csrfToken', $token);

    return $token;

    }

    View Slide

  64. Security
    //CSRF Protection

    !
    if (

    $_POST['token'] == Session::get(‘csrfToken')

    ) { … }

    !

    View Slide

  65. Legit Tools

    View Slide

  66. View Slide

  67. Built-in !
    Web Server

    View Slide

  68. Built-in Server
    $ php -S localhost:8000

    !
    PHP 5.4.0 Development Server started…
    Listening on localhost:8000

    Document root is /home/ben/htdocs

    Press Ctrl-C to quit

    View Slide

  69. Composer

    View Slide

  70. Another
    Package Manager!?

    View Slide

  71. Composer
    Sane Package

    Management

    View Slide

  72. Composer
    Autoloading

    View Slide

  73. Composer
    PEAR, ha!
    packagist.org

    View Slide

  74. Composer
    / composer.json

    !
    {

    "require": {

    "stripe/stripe-php": "dev-master",

    "twilio/sdk": "dev-master"

    }

    }

    View Slide

  75. Composer
    $ php composer.phar update
    $ php composer.phar install

    View Slide

  76. Composer
    $client =

    new Services_Twilio($sid, $tkn);
    !
    $client->account

    ->messages

    ->sendMessage(…)

    View Slide

  77. Unit Testing

    View Slide

  78. View Slide

  79. Unit Testing
    PHPUnit

    Behat

    Mink
    Selenium

    CodeCeption

    PHPSpec

    View Slide

  80. Unit Testing
    class ApiAuthTest extends PHPUnit_Framework_TestCase {

    !
    public function testVerify() {

    !
    $auth = new apiAuth();



    $this->assertTrue($auth->verify());

    View Slide

  81. Unit Testing
    class ApiAuthTest extends PHPUnit_Framework_TestCase {

    !
    public function testVerify() {

    !
    $auth = new apiAuth();



    $this->assertTrue($auth->verify());

    View Slide

  82. Unit Testing
    $ phpunit tests

    !
    PHPUnit 3.3.17 by Sebastian Bergmann.

    Time: 0.01 seconds

    OK (1 tests, 1 assertions)

    View Slide

  83. Resources

    View Slide

  84. View Slide

  85. Resources
    PHP.net

    View Slide

  86. Resources
    Modern Frameworks
    Laravel

    Symfony2

    Fuel PHP
    SlimPHP 2

    Aura for PHP

    Silex

    View Slide

  87. Resources
    leanpub.com/

    phptherightway
    PHPtheRightWay.com

    View Slide

  88. Resources
    BuildSecurePHPapps.com
    Coupon Code:

    nephp
    $3 off
    http://buildsecurephpapps.com/?coupon=nephp

    View Slide

  89. Q/A TIME!
    Ben Edmunds

    @benedmunds

    http://benedmunds.com
    http://buildsecurephpapps.com/?coupon=nephp

    View Slide