Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure PHP - NomadPHP Lightning Talk
Search
Ben Edmunds
August 19, 2014
Programming
0
98
Secure PHP - NomadPHP Lightning Talk
Ben Edmunds
August 19, 2014
Tweet
Share
More Decks by Ben Edmunds
See All by Ben Edmunds
Longhorn PHP 2021 - Passing the Technical Interview Workshop
benedmunds
0
120
DevOpsDays Boston 2020 - Passing the Technical Interview
benedmunds
0
62
Midwest PHP 2020 - Web Scale System Design and Architecture
benedmunds
1
140
Modern and Secure PHP (SoutheastPHP 2018)
benedmunds
0
98
Level Up Your Career - PHP South Africa Keynote
benedmunds
0
860
Modern PHP, Standards, and Community (phpDay 2017)
benedmunds
1
840
Lone Star PHP 2017 - More Than Just a Hammer
benedmunds
0
500
Lone Star PHP 2017 - Your API is Bad and You Should Feel Bad
benedmunds
0
220
Intro to Laravel 5
benedmunds
1
490
Other Decks in Programming
See All in Programming
AI駆動のマルチエージェントによる業務フロー自動化の設計と実践
h_okkah
0
230
初学者でも今すぐできる、Claude Codeの生産性を10倍上げるTips
s4yuba
16
13k
システム成長を止めない!本番無停止テーブル移行の全貌
sakawe_ee
1
360
PipeCDのプラグイン化で目指すところ
warashi
1
300
たった 1 枚の PHP ファイルで実装する MCP サーバ / MCP Server with Vanilla PHP
okashoi
1
300
チームで開発し事業を加速するための"良い"設計の考え方 @ サポーターズCoLab 2025-07-08
agatan
1
470
PicoRuby on Rails
makicamel
2
140
Claude Code派?Gemini CLI派? みんなで比較LT会!_20250716
junholee
1
530
Goで作る、開発・CI環境
sin392
0
260
「App Intent」よくわからんけどすごい!
rinngo0302
1
100
ISUCON研修おかわり会 講義スライド
arfes0e2b3c
1
470
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
koboriakira
0
760
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
Scaling GitHub
holman
460
140k
Mobile First: as difficult as doing things right
swwweet
223
9.7k
The Language of Interfaces
destraynor
158
25k
Building Better People: How to give real-time feedback that sticks.
wjessup
367
19k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Gamification - CAS2011
davidbonilla
81
5.4k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
Practical Orchestrator
shlominoach
189
11k
RailsConf 2023
tenderlove
30
1.1k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
194
16k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
26k
Transcript
PHP secure
Wild Lightning Talk Appeared!
Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com
Who is this guy? Ben Edmunds ! Open Source Author
PHP Town Hall Podcast CTO at Mindfulware
Exceptions
None
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
PDO
None
PDO Cross System
PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID
Firebird Informix ODBC & DB2 4D
PDO Cross System Safe Binding
PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id
’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();
PDO //escaping input $stmt->bindParam(‘:id’, $id);
PDO //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);
HTTPS / SSL
HTTPS/SSL Encrypts traffic across the wire ! Trusted sender and
receiver ! Required by OAUTH 2
Passwords
Passwords //safe password hashing password_hash($_POST['pass']);
Passwords //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);
Authentication
Authentication //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR
YO’; }
Authentication //authentication - brute force if ($user->loginAttempts > 5) {
return ‘CAUGHT YA’; }
Safe Defaults
Safe Defaults class Your Controller { protected $var1 = ‘default
value’; ! function __construct() { … } }
Safe Defaults $something = false; ! foreach ($array as $k
=> $v) { $something = $v->foo; if ($something == ‘bar’) { … } }
Popular Hacks
None
Popular Hacks //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the
link to someone, boom
Popular Hacks //Persistent XSS ! Same idea, except with data
that is saved to the server and re-displayed
Popular Hacks //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !
Popular Hacks //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete
! !
Popular Hacks //CSRF Protection ! POST / PUT / UPDATE
/ DELETE behind forms with one-time use tokens ! !
Popular Hacks //CSRF Protection ! function generateCsrf() { $token =
mcrypt_create_iv( 16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }
Popular Hacks //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken')
) { … } !
Unit Testing
None
Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian
Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)
Resources
None
Resources PHP.net
Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura
for PHP Silex
Resources leanpub.com/ phptherightway PHPtheRightWay.com
Resources BuildSecurePHPapps.com Coupon Code: nomadphp $3 off http://buildsecurephpapps.com/?coupon=nomadphp
Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=nomadphp