Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Writing Secure PHP Applications

Chris Cornutt
February 27, 2013

Writing Secure PHP Applications

Being secure on the web is getting harder and harder - the attacks are happening more and more and we, as web app developers, have to respond. The session will share tips you can follow in your code to ensure that your app stays safe and some tips to help improve investigation and preventing your app from becoming the next statistic.

Chris Cornutt

February 27, 2013
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. SQL injection is ten years old. XSS is eleven years

    old. why are they still a problem? Wednesday, February 27, 2013
  2. Input validation <?php /* Using built-in */ is_numeric(‘1234’); // true

    ctype_digit(‘1234’); // false filter_var(‘invalid.email.com’, FILTER_VALID_EMAIL); // false /* Using 3rd party */ use Respect\Validation\Validator as v; $validator = v::alnum->noWhitespace->length(1,15); var_dump($validator->validate(‘thisisatest’); // true ?> https://github.com/Respect/Validation Wednesday, February 27, 2013
  3. Return fast <?php /* Bad practice */ function foo($bar) {

    if ($bar == true) { /* Lots of code here... */ } else { return false; } } //----------------------------------- /* Good practice */ function foo($bar) { if ($bar !== true) { return false; } /* Lots of code here... */ } ?> Wednesday, February 27, 2013
  4. Password hashing <?php /* in PHP 5.5+ */ $hash =

    password_hash($password, PASSWORD_BCRYPT, [‘cost’ => 12]); /* Prior to PHP 5.5+ */ $lib = new \PasswordLib\PasswordLib(); $hash = $lib->createPasswordHash($input); \phpSec\Crypt\Hash::$_method = \phpSec\Crypt\Hash::BCRYPT; $hash = \phpSec\Crypt\Hash::create($input); $bcrypt = new \Zend\Crypt\Password\Bcrypt(); $hash = $bcrypt->create($input); ?> https://github.com/icrmaxell/password_compat Wednesday, February 27, 2013
  5. Encrypted sessions <?php /* Set custom session handler */ session_set_save_handler(

    ‘open’, ‘close’, ‘read’, ‘write’, ‘destroy’, ‘gc’ ); /* Using the handler interface */ class CustomSessionHandler extends SessionHandlerInterface { /* Code goes here */ } $handler = new CustomSessionHandler(); session_set_save_handler($handler, true); ?> https://github.com/enygma/shieldframework/blob/master/Shield/Session.php Wednesday, February 27, 2013
  6. Least privilege <?php /* “Fail fast” for user handling */

    function checkAccess($user, $resource) { if (!$user->allowed($resource) { return false; } /* Other permission checking here */ } /* “Fail least” for user handling */ function checkAccess($user, $resource) { if ($user == null) { return false; } if ($resource == null) { return false; } /* Other permission checking here */ } ?> Wednesday, February 27, 2013
  7. Fail securely <?php /* Custom error handler */ set_error_handler(function($num, $str,

    $file, $line) { echo ‘ERROR: [‘.$num.’] ‘.$str; }); /* Custom exception handler */ set_exception_handler(function($exception) { echo ‘Uncaught exception: ‘.$exception->getMessage(); }); ?> Wednesday, February 27, 2013