SeaPHP 2015 - Modern and Secure PHP

Transcript

1. PHP modern & secure

2. Who is this guy? Ben Edmunds @benedmunds http://benedmunds.com

3. Who is this guy? Ben Edmunds Open Source Author PHP

   Town Hall Podcast CTO at Mindfulware

4. Welcome to the Future

5. Welcome to the Future Exceptions Namespaces Closures

6. Welcome to the Future Statics PDO Short Arrays Security

7. Legit Tools

8. Legit Tools Built-in Server Unit Testing Composer

9. Welcome to the Future

10. Great Scott!

11. Exceptions

12. None

13. Exceptions try { //your code goes here } catch (Exception

    $e) { die($e->getMessage()); }

14. Exceptions try { //your code goes here } catch (Exception

    $e) { die($e->getMessage()); }

15. Closures

16. None

17. Closures Route::get(‘/', function(){ return View::make(‘index'); });

18. Closures Route::get(‘/', function(){ return View::make(‘index'); });

19. Namespaces

20. None

21. Namespaces namespace Illuminate\Console; class Command { //…

22. Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

23. Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

24. Statics

25. None

26. Statics Class Route { public static function get() { //…

    }

27. Statics Route::get(); Class Route { public static function get() {

    //… }

28. Statics Route::get(); Class Route { public static function get() {

    //… }

29. Statics NO $this $var = self::varAtDefinition; $var = static::varAtExec;

30. Short Array Syntax

31. None

32. Short Array Syntax $array = array( 0 => ‘value1’, 1

    => ‘value2’, );

33. Short Array Syntax $array = [ 0 => ‘value1’, 1

    => ‘value2’, ];

34. Short Array Syntax $array = [ 0 => ‘value1’, 1

    => ‘value2’, ];

35. Traits

36. Traits // grouping without // strict inheritance trait baseUser {

    function getName() { return ‘Jon Snow’; } }

37. Traits class adminUser { use baseUser; }

38. Traits $adminUser = new adminUser; echo $adminUser->getName(); //output = ‘Jon

    Snow’

39. PDO

40. None

41. PDO Cross System

42. PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID

    Firebird Informix ODBC & DB2 4D

43. PDO Cross System Safe Binding

44. PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id

    ’); $stmt->bindParam(‘:id’, $id); $stmt->execute();

45. Security

46. Security SQL Injection HTTPS Password Hashing

47. Security Authentication Safe Defaults XSS & CSRF

48. None

49. Security //escaping input $stmt->bindParam(‘:id’, $id);

50. Security //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);

51. Security HTTPS / SSL Encrypts traffic across the wire Trusted

    sender and receiver Required by OAUTH 2

52. Security //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR

    YO’; }

53. Security //authentication - brute force if ($user->loginAttempts > 5) {

    return ‘CAUGHT YA’; }

54. Security //safe password hashing password_hash($_POST['pass']);

55. Security //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);

56. Security //safe defaults class Your Controller { protected $var1 =

    ‘default value’; function __construct() { … } }

57. Security //safe defaults $something = false; foreach ($array as $k

    => $v) { $something = $v->foo; if ($something == ‘bar’) { … } }

58. Security //Non-Persistent XSS http://www.yourSite.com/ ?page_num=2&per_page=50 Send the link to someone,

    boom

59. Security //Persistent XSS Same idea, except with data that is

    saved to the server and re-displayed

60. Security //XSS Protection <h1>Title</h1> Hello <?=htmlentities($name)?>

61. Security //Cross Site Request Forgery //(CSRF) http://yourSite.com/ users/12/delete

62. Security //CSRF Protection POST / PUT / UPDATE / DELETE

    behind forms with one-time use tokens

63. Security //CSRF Protection function generateCsrf() { $token = mcrypt_create_iv( 16,

    MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }

64. Security //CSRF Protection if ( $_POST['token'] == Session::get(‘csrfToken') ) {

    … }

65. Legit Tools

66. None

67. Built-in Web Server

68. Built-in Server $ php -S localhost:8000 PHP 5.4.0 Development Server

    started… Listening on localhost:8000 Document root is /home/ben/htdocs Press Ctrl-C to quit

69. Composer

70. Another Package Manager!?

71. Composer Sane Package Management

72. Composer Autoloading

73. Composer PEAR, ha! packagist.org

74. Composer / composer.json { "require": { "stripe/stripe-php": "dev-master", "twilio/sdk": "dev-master"

    } }

75. Composer $ php composer.phar update $ php composer.phar install

76. Composer $client = new Services_Twilio($sid, $tkn); $client->account ->messages ->sendMessage(…)

77. Unit Testing

78. None

79. Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec

80. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { public function testVerify()

    { $auth = new apiAuth(); $this->assertTrue($auth->verify());

81. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { public function testVerify()

    { $auth = new apiAuth(); $this->assertTrue($auth->verify());

82. Unit Testing $ phpunit tests PHPUnit 3.3.17 by Sebastian Bergmann.

    Time: 0.01 seconds OK (1 tests, 1 assertions)

83. Resources

84. None

85. Resources PHP.net

86. Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura

    for PHP Silex

87. Resources leanpub.com/ phptherightway PHPtheRightWay.com

88. Resources BuildSecurePHPapps.com Coupon Code: seaphp $3 off http://buildsecurephpapps.com/?coupon=seaphp

89. Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=seaphp