Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure PHP - NomadPHP Lightning Talk
Search
Ben Edmunds
August 19, 2014
Programming
0
98
Secure PHP - NomadPHP Lightning Talk
Ben Edmunds
August 19, 2014
Tweet
Share
More Decks by Ben Edmunds
See All by Ben Edmunds
Longhorn PHP 2021 - Passing the Technical Interview Workshop
benedmunds
0
120
DevOpsDays Boston 2020 - Passing the Technical Interview
benedmunds
0
61
Midwest PHP 2020 - Web Scale System Design and Architecture
benedmunds
1
140
Modern and Secure PHP (SoutheastPHP 2018)
benedmunds
0
97
Level Up Your Career - PHP South Africa Keynote
benedmunds
0
860
Modern PHP, Standards, and Community (phpDay 2017)
benedmunds
1
840
Lone Star PHP 2017 - More Than Just a Hammer
benedmunds
0
500
Lone Star PHP 2017 - Your API is Bad and You Should Feel Bad
benedmunds
0
210
Intro to Laravel 5
benedmunds
1
490
Other Decks in Programming
See All in Programming
0626 Findy Product Manager LT Night_高田スライド_speaker deck用
mana_takada
0
140
AIと”コードの評価関数”を共有する / Share the "code evaluation function" with AI
euglena1215
1
100
Is Xcode slowly dying out in 2025?
uetyo
1
250
ソフトウェア品質を数字で捉える技術。事業成長を支えるシステム品質の マネジメント
takuya542
1
3.6k
Flutterで備える!Accessibility Nutrition Labels完全ガイド
yuukiw00w
0
140
PipeCDのプラグイン化で目指すところ
warashi
1
250
なぜ適用するか、移行して理解するClean Architecture 〜構造を超えて設計を継承する〜 / Why Apply, Migrate and Understand Clean Architecture - Inherit Design Beyond Structure
seike460
PRO
3
730
地方に住むエンジニアの残酷な現実とキャリア論
ichimichi
5
1.5k
Result型で“失敗”を型にするPHPコードの書き方
kajitack
5
580
Node-RED を(HTTP で)つなげる MCP サーバーを作ってみた
highu
0
120
Composerが「依存解決」のためにどんな工夫をしているか #phpcon
o0h
PRO
1
250
Blazing Fast UI Development with Compose Hot Reload (droidcon New York 2025)
zsmb
1
280
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
331
22k
Fantastic passwords and where to find them - at NoRuKo
philnash
51
3.3k
StorybookのUI Testing Handbookを読んだ
zakiyama
30
5.9k
How GitHub (no longer) Works
holman
314
140k
The Language of Interfaces
destraynor
158
25k
Art, The Web, and Tiny UX
lynnandtonic
299
21k
The MySQL Ecosystem @ GitHub 2015
samlambert
251
13k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
46
9.6k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.9k
Java REST API Framework Comparison - PWX 2021
mraible
31
8.7k
Transcript
PHP secure
Wild Lightning Talk Appeared!
Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com
Who is this guy? Ben Edmunds ! Open Source Author
PHP Town Hall Podcast CTO at Mindfulware
Exceptions
None
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
Exceptions try { //your code goes here } catch (Exception
$e) { die($e->getMessage()); }
PDO
None
PDO Cross System
PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID
Firebird Informix ODBC & DB2 4D
PDO Cross System Safe Binding
PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id
’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();
PDO //escaping input $stmt->bindParam(‘:id’, $id);
PDO //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);
HTTPS / SSL
HTTPS/SSL Encrypts traffic across the wire ! Trusted sender and
receiver ! Required by OAUTH 2
Passwords
Passwords //safe password hashing password_hash($_POST['pass']);
Passwords //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);
Authentication
Authentication //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR
YO’; }
Authentication //authentication - brute force if ($user->loginAttempts > 5) {
return ‘CAUGHT YA’; }
Safe Defaults
Safe Defaults class Your Controller { protected $var1 = ‘default
value’; ! function __construct() { … } }
Safe Defaults $something = false; ! foreach ($array as $k
=> $v) { $something = $v->foo; if ($something == ‘bar’) { … } }
Popular Hacks
None
Popular Hacks //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the
link to someone, boom
Popular Hacks //Persistent XSS ! Same idea, except with data
that is saved to the server and re-displayed
Popular Hacks //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !
Popular Hacks //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete
! !
Popular Hacks //CSRF Protection ! POST / PUT / UPDATE
/ DELETE behind forms with one-time use tokens ! !
Popular Hacks //CSRF Protection ! function generateCsrf() { $token =
mcrypt_create_iv( 16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }
Popular Hacks //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken')
) { … } !
Unit Testing
None
Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function
testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian
Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)
Resources
None
Resources PHP.net
Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura
for PHP Silex
Resources leanpub.com/ phptherightway PHPtheRightWay.com
Resources BuildSecurePHPapps.com Coupon Code: nomadphp $3 off http://buildsecurephpapps.com/?coupon=nomadphp
Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=nomadphp