Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure PHP - NomadPHP Lightning Talk
Search
Ben Edmunds
August 19, 2014
Programming
0
81
Secure PHP - NomadPHP Lightning Talk
Ben Edmunds
August 19, 2014
Tweet
Share
More Decks by Ben Edmunds
See All by Ben Edmunds
Longhorn PHP 2021 - Passing the Technical Interview Workshop
benedmunds
0
81
DevOpsDays Boston 2020 - Passing the Technical Interview
benedmunds
0
45
Midwest PHP 2020 - Web Scale System Design and Architecture
benedmunds
1
87
Modern and Secure PHP (SoutheastPHP 2018)
benedmunds
0
68
Level Up Your Career - PHP South Africa Keynote
benedmunds
0
700
Modern PHP, Standards, and Community (phpDay 2017)
benedmunds
1
640
Lone Star PHP 2017 - More Than Just a Hammer
benedmunds
0
410
Lone Star PHP 2017 - Your API is Bad and You Should Feel Bad
benedmunds
0
150
Intro to Laravel 5
benedmunds
1
420
Other Decks in Programming
See All in Programming
プロンプトエンジニアリング入門
tomokusaba
2
970
Building a Smaller App Binary
kateinoigakukun
2
200
Swiftの型推論を学ぼう | Let's Learn About Type Inference in Swift
omochi
2
520
マイ隙間家具OSSたちのご紹介
karupanerura
2
150
PHP 8.3で追加されたjson_validate()を徹底的に深掘りしてみよう
mashirou1234
1
720
WasmOS: Wasmを実行する自作Microkernel
riru
0
370
C# 大統一理論推進委員会 会員のための Unity Package Manager プロジェクト構成案
monry
PRO
0
580
PHPでOfficeファイルを取り扱う! PHP Officeライブラリを プロダクトに組み込んだ話
hirobe1999
0
840
ファイル先頭の use の意味、説明できますか? 〜PHP の namespace と autoloading の関係を正しく理解しよう〜 / namespace and autoloading in php
okashoi
2
470
PHPerKaigi 2024〜10年以上動いているレガシーなバッチシステムを Kubernetes(Amazon EKS) に移行する取り組み〜
tshinowpub
1
220
htmx is fun!
codehex
2
190
Open Source Swiftc Workshop
kitasuke
1
180
Featured
See All Featured
The World Runs on Bad Software
bkeepers
PRO
60
6.6k
How to name files
jennybc
62
92k
A Tale of Four Properties
chriscoyier
150
22k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
14
1.3k
The Brand Is Dead. Long Live the Brand.
mthomps
48
21k
Building a Scalable Design System with Sketch
lauravandoore
455
32k
Building Your Own Lightsaber
phodgson
97
5.6k
Designing for Performance
lara
601
67k
How STYLIGHT went responsive
nonsquared
92
4.7k
Writing Fast Ruby
sferik
619
59k
Ruby is Unlike a Banana
tanoku
95
10k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
178
11k
Transcript
PHP secure
Wild Lightning Talk Appeared!
Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com
Who is this guy? Ben Edmunds ! Open Source Author
PHP Town Hall Podcast CTO at Mindfulware
Exceptions
None
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
PDO
None
PDO Cross System
PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID
Firebird Informix ODBC & DB2 4D
PDO Cross System Safe Binding
PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id
’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();
PDO //escaping input $stmt->bindParam(‘:id’, $id);
PDO //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);
HTTPS / SSL
HTTPS/SSL Encrypts traffic across the wire ! Trusted sender and
receiver ! Required by OAUTH 2
Passwords
Passwords //safe password hashing password_hash($_POST['pass']);
Passwords //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);
Authentication
Authentication //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR
YO’; }
Authentication //authentication - brute force if ($user->loginAttempts > 5) {
return ‘CAUGHT YA’; }
Safe Defaults
Safe Defaults class Your Controller { protected $var1 = ‘default
value’; ! function __construct() { … } }
Safe Defaults $something = false; ! foreach ($array as $k
=> $v) { $something = $v->foo; if ($something == ‘bar’) { … } }
Popular Hacks
None
Popular Hacks //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the
link to someone, boom
Popular Hacks //Persistent XSS ! Same idea, except with data
that is saved to the server and re-displayed
Popular Hacks //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !
Popular Hacks //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete
! !
Popular Hacks //CSRF Protection ! POST / PUT / UPDATE
/ DELETE behind forms with one-time use tokens ! !
Popular Hacks //CSRF Protection ! function generateCsrf() { $token =
mcrypt_create_iv( 16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }
Popular Hacks //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken')
) { … } !
Unit Testing
None
Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian
Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)
Resources
None
Resources PHP.net
Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura
for PHP Silex
Resources leanpub.com/ phptherightway PHPtheRightWay.com
Resources BuildSecurePHPapps.com Coupon Code: nomadphp $3 off http://buildsecurephpapps.com/?coupon=nomadphp
Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=nomadphp