Pro Yearly is on sale from $80 to $50! »

ZendCon 2015 - Modern and Secure PHP

22f21d5c22b930fd35dd98f25dedf6a4?s=47 Ben Edmunds
October 22, 2015

ZendCon 2015 - Modern and Secure PHP

This is not the PHP of old. Learn what's changed in the PHP world over the last few years. Classes, objects, statics, traits, unit testing, composer, password hashing; it's a whole new ballgame.

Learn what has changed in the PHP world over the last several years. We'll cover
The newest PHP language features.
Community efforts such as the PHP Framework Interoperability Group, Composer, and PHP the Right Way.
How to secure your application using up to date techniques.

22f21d5c22b930fd35dd98f25dedf6a4?s=128

Ben Edmunds

October 22, 2015
Tweet

Transcript

  1. PHP modern & secure

  2. Who is this guy? Ben Edmunds @benedmunds http://benedmunds.com

  3. Who is this guy? Ben Edmunds Open Source Author PHP

    Town Hall Podcast CTO at Mindfulware
  4. Welcome to the Future

  5. Welcome to the Future Exceptions Namespaces Closures

  6. Welcome to the Future Statics PDO Short Arrays Security

  7. Legit Tools

  8. Legit Tools Built-in Server Unit Testing Composer

  9. Welcome to the Future

  10. Great Scott!

  11. Exceptions

  12. None
  13. Exceptions try { //your code goes here } catch (Exception

    $e) { die($e->getMessage()); }
  14. Exceptions try { //your code goes here } catch (Exception

    $e) { die($e->getMessage()); }
  15. Closures

  16. None
  17. Closures Route::get(‘/', function(){ return View::make(‘index'); });

  18. Closures Route::get(‘/', function(){ return View::make(‘index'); });

  19. Namespaces

  20. None
  21. Namespaces namespace Illuminate\Console; class Command { //…

  22. Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

  23. Namespaces use Illuminate\Console\Command; namespace Illuminate\Console; class Command { //…

  24. Statics

  25. None
  26. Statics Class Route { public static function get() { //…

    }
  27. Statics Route::get(); Class Route { public static function get() {

    //… }
  28. Statics Route::get(); Class Route { public static function get() {

    //… }
  29. Statics NO $this $var = self::varAtDefinition; $var = static::varAtExec;

  30. Short Array Syntax

  31. None
  32. Short Array Syntax $array = array( 0 => ‘value1’, 1

    => ‘value2’, );
  33. Short Array Syntax $array = [ 0 => ‘value1’, 1

    => ‘value2’, ];
  34. Short Array Syntax $array = [ 0 => ‘value1’, 1

    => ‘value2’, ];
  35. Traits

  36. Traits // grouping without // strict inheritance trait baseUser {

    function getName() { return ‘Jon Snow’; } }
  37. Traits class adminUser { use baseUser; }

  38. Traits $adminUser = new adminUser; echo $adminUser->getName(); //output = ‘Jon

    Snow’
  39. PDO

  40. None
  41. PDO Cross System

  42. PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID

    Firebird Informix ODBC & DB2 4D
  43. PDO Cross System Safe Binding

  44. PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id

    ’); $stmt->bindParam(‘:id’, $id); $stmt->execute();
  45. Security

  46. Security SQL Injection HTTPS Password Hashing

  47. Security Authentication Safe Defaults XSS & CSRF

  48. None
  49. Security //escaping input $stmt->bindParam(‘:id’, $id);

  50. Security //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’], ENT_QUOTES, ‘UTF-8’);

  51. Security HTTPS / SSL Encrypts traffic across the wire Trusted

    sender and receiver Required by OAUTH 2
  52. Security //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR

    YO’; }
  53. Security //authentication - brute force if ($user->loginAttempts > 5) {

    return ‘CAUGHT YA’; }
  54. Security //safe password hashing password_hash($_POST['pass']);

  55. Security //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);

  56. Security //safe defaults class Your Controller { protected $var1 =

    ‘default value’; function __construct() { … } }
  57. Security //safe defaults $something = false; foreach ($array as $k

    => $v) { $something = $v->foo; if ($something == ‘bar’) { … } }
  58. Security //Non-Persistent XSS http://www.yourSite.com/ ?page_num=2&per_page=50 Send the link to someone,

    boom
  59. Security //Persistent XSS Same idea, except with data that is

    saved to the server and re-displayed
  60. Security //XSS Protection <h1>Title</h1> Hello <?=htmlentities( $name, ENT_QUOTES, ‘UTF-8’)?>

  61. Security //Cross Site Request Forgery //(CSRF) http://yourSite.com/ users/12/delete

  62. Security //CSRF Protection POST / PUT / UPDATE / DELETE

    behind forms with one-time use tokens
  63. Security //CSRF Protection function generateCsrf() { $token = mcrypt_create_iv( 16,

    MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }
  64. Security //CSRF Protection if ( $_POST['token'] == Session::get(‘csrfToken') ) {

    … }
  65. Legit Tools

  66. None
  67. Built-in Web Server

  68. Built-in Server $ php -S localhost:8000 PHP 5.4.0 Development Server

    started… Listening on localhost:8000 Document root is /home/ben/htdocs Press Ctrl-C to quit
  69. Composer

  70. Another Package Manager!?

  71. Composer Sane Package Management

  72. Composer Autoloading

  73. Composer PEAR, ha! packagist.org

  74. Composer / composer.json { "require": { "stripe/stripe-php": "dev-master", "twilio/sdk": "dev-master"

    } }
  75. Composer $ php composer.phar update $ php composer.phar install

  76. Composer $client = new Services_Twilio($sid, $tkn); $client->account ->messages ->sendMessage(…)

  77. Unit Testing

  78. None
  79. Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec

  80. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { public function testVerify()

    { $auth = new apiAuth(); $this->assertTrue($auth->verify());
  81. Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { public function testVerify()

    { $auth = new apiAuth(); $this->assertTrue($auth->verify());
  82. Unit Testing $ phpunit tests PHPUnit 3.3.17 by Sebastian Bergmann.

    Time: 0.01 seconds OK (1 tests, 1 assertions)
  83. Resources

  84. None
  85. Resources PHP.net

  86. Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura

    for PHP Silex
  87. Resources leanpub.com/ phptherightway PHPtheRightWay.com

  88. Resources BuildSecurePHPapps.com Coupon Code: zendcon 20% off / 5$ off

    http://buildsecurephpapps.com/?coupon=zendcon
  89. Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=zendcon http://joind.in/15620