Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure PHP - NomadPHP Lightning Talk
Search
Ben Edmunds
August 19, 2014
Programming
110
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Secure PHP - NomadPHP Lightning Talk
Ben Edmunds
August 19, 2014
More Decks by Ben Edmunds
See All by Ben Edmunds
Longhorn PHP 2021 - Passing the Technical Interview Workshop
benedmunds
0
170
DevOpsDays Boston 2020 - Passing the Technical Interview
benedmunds
0
110
Midwest PHP 2020 - Web Scale System Design and Architecture
benedmunds
1
160
Modern and Secure PHP (SoutheastPHP 2018)
benedmunds
0
140
Level Up Your Career - PHP South Africa Keynote
benedmunds
0
960
Modern PHP, Standards, and Community (phpDay 2017)
benedmunds
1
900
Lone Star PHP 2017 - More Than Just a Hammer
benedmunds
0
540
Lone Star PHP 2017 - Your API is Bad and You Should Feel Bad
benedmunds
0
270
Intro to Laravel 5
benedmunds
1
540
Other Decks in Programming
See All in Programming
ローカルLLMでどこまでコードが書けるか -拡張版 / How much code can be written on a local LLM Extended
kishida
12
4.7k
AI がコードを書く時代における新卒エンジニアの仕事風景 (2026) / New Graduate Engineers in the Era of AI Coding (2026)
sushichan044
0
210
関数型プログラミングのメリットって何だろう?
wanko_it
0
160
霧の中の代数的エフェクト
funnyycat
1
340
エンジニア向け会社紹介/Findy Company Profile
findyinc
6
360k
LLMによるContent Moderationの本番運用の裏側と品質担保への挑戦
suikabar
3
840
【やさしく解説 設計編・中級 #1】一つの車に、運転手は一人 ~ある倉庫システムの事例から~
panda728
PRO
0
140
Even G2とAWSで推しのエージェントを召喚しよう!
har1101
1
160
Hatena Engineer Seminar #37「言語モデルの活用に関する研究」
slashnephy
0
510
コンテキストの使い捨てをやめる — ビジネスルール駆動開発と miko —
ioki
0
270
なぜ関数型プログラミングで「型」と「証明」が語られるのか #fp_matsuri
kajitack
3
780
初めてのKubernetes 本番運用でハマった話
oku053
0
120
Featured
See All Featured
Future Trends and Review - Lecture 12 - Web Technologies (1019888BNR)
signer
PRO
0
3.6k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
auna
0
180
Rebuilding a faster, lazier Slack
samanthasiow
85
9.6k
Thoughts on Productivity
jonyablonski
76
5.2k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
390
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
360
30k
From Legacy to Launchpad: Building Startup-Ready Communities
dugsong
0
260
Believing is Seeing
oripsolob
1
170
Darren the Foodie - Storyboard
khoart
PRO
3
3.4k
How to Ace a Technical Interview
jacobian
281
24k
Code Review Best Practice
trishagee
74
20k
A Tale of Four Properties
chriscoyier
163
24k
Transcript
PHP secure
Wild Lightning Talk Appeared!
Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com
Who is this guy? Ben Edmunds ! Open Source Author
PHP Town Hall Podcast CTO at Mindfulware
Exceptions
None
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
PDO
None
PDO Cross System
PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID
Firebird Informix ODBC & DB2 4D
PDO Cross System Safe Binding
PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id
’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();
PDO //escaping input $stmt->bindParam(‘:id’, $id);
PDO //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);
HTTPS / SSL
HTTPS/SSL Encrypts traffic across the wire ! Trusted sender and
receiver ! Required by OAUTH 2
Passwords
Passwords //safe password hashing password_hash($_POST['pass']);
Passwords //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);
Authentication
Authentication //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR
YO’; }
Authentication //authentication - brute force if ($user->loginAttempts > 5) {
return ‘CAUGHT YA’; }
Safe Defaults
Safe Defaults class Your Controller { protected $var1 = ‘default
value’; ! function __construct() { … } }
Safe Defaults $something = false; ! foreach ($array as $k
=> $v) { $something = $v->foo; if ($something == ‘bar’) { … } }
Popular Hacks
None
Popular Hacks //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the
link to someone, boom
Popular Hacks //Persistent XSS ! Same idea, except with data
that is saved to the server and re-displayed
Popular Hacks //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !
Popular Hacks //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete
! !
Popular Hacks //CSRF Protection ! POST / PUT / UPDATE
/ DELETE behind forms with one-time use tokens ! !
Popular Hacks //CSRF Protection ! function generateCsrf() { $token =
mcrypt_create_iv( 16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }
Popular Hacks //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken')
) { … } !
Unit Testing
None
Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian
Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)
Resources
None
Resources PHP.net
Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura
for PHP Silex
Resources leanpub.com/ phptherightway PHPtheRightWay.com
Resources BuildSecurePHPapps.com Coupon Code: nomadphp $3 off http://buildsecurephpapps.com/?coupon=nomadphp
Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=nomadphp