Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure PHP - NomadPHP Lightning Talk
Search
Ben Edmunds
August 19, 2014
Programming
0
98
Secure PHP - NomadPHP Lightning Talk
Ben Edmunds
August 19, 2014
Tweet
Share
More Decks by Ben Edmunds
See All by Ben Edmunds
Longhorn PHP 2021 - Passing the Technical Interview Workshop
benedmunds
0
120
DevOpsDays Boston 2020 - Passing the Technical Interview
benedmunds
0
61
Midwest PHP 2020 - Web Scale System Design and Architecture
benedmunds
1
140
Modern and Secure PHP (SoutheastPHP 2018)
benedmunds
0
98
Level Up Your Career - PHP South Africa Keynote
benedmunds
0
860
Modern PHP, Standards, and Community (phpDay 2017)
benedmunds
1
840
Lone Star PHP 2017 - More Than Just a Hammer
benedmunds
0
500
Lone Star PHP 2017 - Your API is Bad and You Should Feel Bad
benedmunds
0
210
Intro to Laravel 5
benedmunds
1
490
Other Decks in Programming
See All in Programming
git worktree × Claude Code × MCP ~生成AI時代の並列開発フロー~
hisuzuya
1
550
設計やレビューに悩んでいるPHPerに贈る、クリーンなオブジェクト設計の指針たち
panda_program
6
1.9k
What Spring Developers Should Know About Jakarta EE
ivargrimstad
0
420
AIと”コードの評価関数”を共有する / Share the "code evaluation function" with AI
euglena1215
1
140
C++20 射影変換
faithandbrave
0
570
Code as Context 〜 1にコードで 2にリンタ 34がなくて 5にルール? 〜
yodakeisuke
0
120
猫と暮らす Google Nest Cam生活🐈 / WebRTC with Google Nest Cam
yutailang0119
0
110
PHPでWebSocketサーバーを実装しよう2025
kubotak
0
270
地方に住むエンジニアの残酷な現実とキャリア論
ichimichi
5
1.5k
Select API from Kotlin Coroutine
jmatsu
1
230
20250628_非エンジニアがバイブコーディングしてみた
ponponmikankan
0
660
AIエージェントはこう育てる - GitHub Copilot Agentとチームの共進化サイクル
koboriakira
0
510
Featured
See All Featured
Rebuilding a faster, lazier Slack
samanthasiow
82
9.1k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Visualization
eitanlees
146
16k
For a Future-Friendly Web
brad_frost
179
9.8k
Statistics for Hackers
jakevdp
799
220k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
248
1.3M
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Into the Great Unknown - MozCon
thekraken
39
1.9k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
5
260
Embracing the Ebb and Flow
colly
86
4.7k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
2.8k
Transcript
PHP secure
Wild Lightning Talk Appeared!
Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com
Who is this guy? Ben Edmunds ! Open Source Author
PHP Town Hall Podcast CTO at Mindfulware
Exceptions
None
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
PDO
None
PDO Cross System
PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID
Firebird Informix ODBC & DB2 4D
PDO Cross System Safe Binding
PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id
’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();
PDO //escaping input $stmt->bindParam(‘:id’, $id);
PDO //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);
HTTPS / SSL
HTTPS/SSL Encrypts traffic across the wire ! Trusted sender and
receiver ! Required by OAUTH 2
Passwords
Passwords //safe password hashing password_hash($_POST['pass']);
Passwords //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);
Authentication
Authentication //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR
YO’; }
Authentication //authentication - brute force if ($user->loginAttempts > 5) {
return ‘CAUGHT YA’; }
Safe Defaults
Safe Defaults class Your Controller { protected $var1 = ‘default
value’; ! function __construct() { … } }
Safe Defaults $something = false; ! foreach ($array as $k
=> $v) { $something = $v->foo; if ($something == ‘bar’) { … } }
Popular Hacks
None
Popular Hacks //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the
link to someone, boom
Popular Hacks //Persistent XSS ! Same idea, except with data
that is saved to the server and re-displayed
Popular Hacks //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !
Popular Hacks //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete
! !
Popular Hacks //CSRF Protection ! POST / PUT / UPDATE
/ DELETE behind forms with one-time use tokens ! !
Popular Hacks //CSRF Protection ! function generateCsrf() { $token =
mcrypt_create_iv( 16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }
Popular Hacks //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken')
) { … } !
Unit Testing
None
Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian
Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)
Resources
None
Resources PHP.net
Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura
for PHP Silex
Resources leanpub.com/ phptherightway PHPtheRightWay.com
Resources BuildSecurePHPapps.com Coupon Code: nomadphp $3 off http://buildsecurephpapps.com/?coupon=nomadphp
Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=nomadphp