Tweet
Tweet

Slide 1

Slide 1 text

PHP secure

Slide 2

Slide 2 text

Wild Lightning Talk Appeared!

Slide 3

Slide 3 text

Who is this guy? Ben Edmunds ! @benedmunds http://benedmunds.com

Slide 4

Slide 4 text

Who is this guy? Ben Edmunds ! Open Source Author PHP Town Hall Podcast CTO at Mindfulware

Slide 5

Slide 5 text

Exceptions

Slide 6

Slide 6 text

No content

Slide 7

Slide 7 text

Exceptions try { //your code goes here } catch (Exception $e) { die($e->getMessage()); }

Slide 8

Slide 8 text

Exceptions try { //your code goes here } catch (Exception $e) { die($e->getMessage()); }

Slide 9

Slide 9 text

PDO

Slide 10

Slide 10 text

No content

Slide 11

Slide 11 text

PDO Cross System

Slide 12

Slide 12 text

PDO Cross System MS SQL MySQL Oracle PostgreSQL SQLite CUBRID Firebird Informix ODBC & DB2 4D

Slide 13

Slide 13 text

PDO Cross System Safe Binding

Slide 14

Slide 14 text

PDO $stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id ’); ! $stmt->bindParam(‘:id’, $id); $stmt->execute();

Slide 15

Slide 15 text

PDO //escaping input $stmt->bindParam(‘:id’, $id);

Slide 16

Slide 16 text

PDO //escaping input $stmt->bindParam(‘:id’, $id); //escaping output htmlentities($_POST[‘name’]);

Slide 17

Slide 17 text

HTTPS / SSL

Slide 18

Slide 18 text

HTTPS/SSL Encrypts traffic across the wire ! Trusted sender and receiver ! Required by OAUTH 2

Slide 19

Slide 19 text

Passwords

Slide 20

Slide 20 text

Passwords //safe password hashing password_hash($_POST['pass']);

Slide 21

Slide 21 text

Passwords //safe password hashing password_hash($_POST['pass']); //password verification password_verify($_POST['pass'], $u->pass);

Slide 22

Slide 22 text

Authentication

Slide 23

Slide 23 text

Authentication //authentication - access control if (!$user->inGroup(‘admin’)) { return ‘ERROR YO’; }

Slide 24

Slide 24 text

Authentication //authentication - brute force if ($user->loginAttempts > 5) { return ‘CAUGHT YA’; }

Slide 25

Slide 25 text

Safe Defaults

Slide 26

Slide 26 text

Safe Defaults class Your Controller { protected $var1 = ‘default value’; ! function __construct() { … } }

Slide 27

Slide 27 text

Safe Defaults $something = false; ! foreach ($array as $k => $v) { $something = $v->foo; if ($something == ‘bar’) { … } }

Slide 28

Slide 28 text

Popular Hacks

Slide 29

Slide 29 text

No content

Slide 30

Slide 30 text

Popular Hacks //Non-Persistent XSS ! http://www.yourSite.com/ ?page_num=2&per_page=50 ! Send the link to someone, boom

Slide 31

Slide 31 text

Popular Hacks //Persistent XSS ! Same idea, except with data that is saved to the server and re-displayed

Slide 32

Slide 32 text

Popular Hacks //XSS Protection !

Title

Hello ! !

Slide 33

Slide 33 text

Popular Hacks //Cross Site Request Forgery //(CSRF) ! http://yourSite.com/ users/12/delete ! !

Slide 34

Slide 34 text

Popular Hacks //CSRF Protection ! POST / PUT / UPDATE / DELETE behind forms with one-time use tokens ! !

Slide 35

Slide 35 text

Popular Hacks //CSRF Protection ! function generateCsrf() { $token = mcrypt_create_iv( 16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }

Slide 36

Slide 36 text

Popular Hacks //CSRF Protection ! if ( $_POST['token'] == Session::get(‘csrfToken') ) { … } !

Slide 37

Slide 37 text

Unit Testing

Slide 38

Slide 38 text

No content

Slide 39

Slide 39 text

Unit Testing PHPUnit Behat Mink Selenium CodeCeption PHPSpec

Slide 40

Slide 40 text

Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());

Slide 41

Slide 41 text

Unit Testing class ApiAuthTest extends PHPUnit_Framework_TestCase { ! public function testVerify() { ! $auth = new apiAuth(); $this->assertTrue($auth->verify());

Slide 42

Slide 42 text

Unit Testing $ phpunit tests ! PHPUnit 3.3.17 by Sebastian Bergmann. Time: 0.01 seconds OK (1 tests, 1 assertions)

Slide 43

Slide 43 text

Resources

Slide 44

Slide 44 text

No content

Slide 45

Slide 45 text

Resources PHP.net

Slide 46

Slide 46 text

Resources Modern Frameworks Laravel Symfony2 Fuel PHP SlimPHP 2 Aura for PHP Silex

Slide 47

Slide 47 text

Resources leanpub.com/ phptherightway PHPtheRightWay.com

Slide 48

Slide 48 text

Resources BuildSecurePHPapps.com Coupon Code: nomadphp $3 off http://buildsecurephpapps.com/?coupon=nomadphp

Slide 49

Slide 49 text

Q/A TIME! Ben Edmunds @benedmunds http://benedmunds.com http://buildsecurephpapps.com/?coupon=nomadphp