Secure PHP - NomadPHP Lightning Talk

Transcript

1. PHP secure

2. Wild Lightning Talk Appeared!

3. Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com

4. Who is this guy? Ben Edmunds ! Open Source Author

   PHP Town Hall Podcast CTO at Mindfulware

5. Exceptions

6. None

7. Exceptions try { //your code goes here } catch (Exception

   $e) { die($e->getMessage()); }

8. Exceptions try { //your code goes here } catch (Exception

   $e) { die($e->getMessage()); }

9. PDO

10. None

11. PDO Cross System

12. PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID

    Firebird Informix ODBC & DB2 4D

13. PDO Cross System Safe Binding

14. PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id

    ’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();

15. PDO //escaping input $stmt->bindParam(‘:id’, $id);

16. PDO //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);

17. HTTPS / SSL

18. HTTPS/SSL Encrypts traffic across the wire ! Trusted sender and

    receiver ! Required by OAUTH 2

19. Passwords

20. Passwords //safe password hashing password_hash($_POST['pass']);

21. Passwords //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);

22. Authentication

23. Authentication //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR

    YO’; }

24. Authentication //authentication - brute force if ($user->loginAttempts > 5) {

    return ‘CAUGHT YA’; }

25. Safe Defaults

26. Safe Defaults class Your Controller { protected $var1 = ‘default

    value’; ! function __construct() { … } }

27. Safe Defaults $something = false; ! foreach ($array as $k

    => $v) { $something = $v->foo; if ($something == ‘bar’) { … } }

28. Popular Hacks

29. None

30. Popular Hacks //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the

    link to someone, boom

31. Popular Hacks //Persistent XSS ! Same idea, except with data

    that is saved to the server and re-displayed

32. Popular Hacks //XSS Protection ! <h1>Title</h1> Hello <?=htmlentities($name)?> ! !

33. Popular Hacks //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete

    ! !

34. Popular Hacks //CSRF Protection ! POST / PUT / UPDATE

    / DELETE behind forms with one-time use tokens ! !

35. Popular Hacks //CSRF Protection ! function generateCsrf() { $token =

    mcrypt_create_iv( 16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }

36. Popular Hacks //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken')

    ) { … } !

37. Unit Testing

38. None

39. Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec

40. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function

    testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());

41. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function

    testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());

42. Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian

    Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)

43. Resources

44. None

45. Resources PHP.net

46. Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura

    for PHP Silex

47. Resources leanpub.com/ phptherightway PHPtheRightWay.com

48. Resources BuildSecurePHPapps.com Coupon Code: nomadphp $3 off http://buildsecurephpapps.com/?coupon=nomadphp

49. Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=nomadphp