building modern and secure php applications – codementor office hours with ben edmunds
DESCRIPTION
Codementor PHP expert mentor Ben Edmunds is the co-host of PHP Town Hall and author of Building Secure PHP Apps. Ben is also the creator of Ion Auth, a simple, lightweight authentication library for CodeIgniter. In an interactive format, Ben talked about: Modern PHP Latest PHP tools SQL Injection Password Hashing and Authentication Other Common Hacks https://www.codementor.io/benedmunds https://www.codementor.io/php-tutorial/building-modern-secure-php-applications-codementor-office-hours-ben-edmundsTRANSCRIPT
PHPmodern
not your grandma’s php
& secure
Who is this guy?
Ben Edmunds !
Open Source Author PHP Town Hall Podcast CTO at Mindfulware
Welcome to the Future
Welcome to the Future
Exceptions
NamespacesClosures
Welcome to the FutureStatics
PDOShort Arrays
Security
Legit Tools
Legit Tools
Built-in Server
Unit TestingComposer
Welcome to!the Future
Great Scott!
Exceptions
Exceptionstry { //your code goes here}catch (Exception $e) { die($e->getMessage());}
Exceptionstry { //your code goes here}catch (Exception $e) { die($e->getMessage());}
Closures
Closures
Route::get(‘/', function(){ return View::make(‘index');!
});
Closures
Route::get(‘/', function(){ return View::make(‘index');!
});
Namespaces
Namespacesnamespace Illuminate\Console;class Command{ //…
Namespaces
use Illuminate\Console\Command;
namespace Illuminate\Console;class Command{ //…
Namespaces
use Illuminate\Console\Command;
namespace Illuminate\Console;class Command{ //…
Statics
StaticsClass Route { public static function get() { //… }
Statics
Route::get();
Class Route { public static function get() { //… }
Statics
Route::get();
Class Route { public static function get() { //… }
Statics
NO $this $var = self::varAtDefinition;!
$var = static::varAtExec;
Short Array!Syntax
Short Array Syntax
$array = array( 0 => ‘value1’, 1 => ‘value2’,);
Short Array Syntax
$array = [ 0 => ‘value1’, 1 => ‘value2’,];
Short Array Syntax
$array = [ 0 => ‘value1’, 1 => ‘value2’,];
PDO
PDO
Cross System
PDO
Cross SystemMS SQLMySQLOraclePostgreSQLSQLite
CUBRIDFirebirdInformixODBC & DB24D
PDO
Cross SystemSafe Binding
PDO$stmt = $db->prepare(‘ SELECT * FROM users WHERE id=:id’);!
$stmt->bindParam(‘:id’, $id);$stmt->execute();
Security
Security
SQL InjectionHTTPS
Password Hashing
Security
AuthenticationSafe DefaultsXSS & CSRF
Security
//escaping input$stmt->bindParam(‘:id’, $id);
Security
//escaping input$stmt->bindParam(‘:id’, $id);
//escaping outputhtmlentities($_POST[‘name’]);
Security HTTPS / SSL!
Encrypts traffic across the wire!
Trusted sender and receiver!
Required by OAUTH 2
Security//authentication - access controlif (!$user->inGroup(‘admin’)) { return ‘ERROR YO’;}
Security//authentication - brute forceif ($user->loginAttempts > 5) { return ‘CAUGHT YA’;}
Security
//safe password hashingpassword_hash($_POST['pass']);
Security
//safe password hashingpassword_hash($_POST['pass']);
//password verificationpassword_verify($_POST['pass'], $u->pass);
Security//safe defaultsclass Your Controller { protected $var1 = ‘default value’;!
function __construct() { … }}
Security//safe defaults$something = false;!
foreach ($array as $k => $v) { $something = $v->foo; if ($something == ‘bar’) { … }}
Security//Non-Persistent XSS!
http://www.yourSite.com/ ?page_num=2&per_page=50!
Send the link to someone, boom
Security//Persistent XSS!
Same idea, except with data that is saved to the server and re-displayed
Security//XSS Protection!
<h1>Title</h1>Hello <?=htmlentities($name)?>!!
Security//Cross Site Request Forgery//(CSRF)!
http://yourSite.com/ users/12/delete!!
Security//CSRF Protection!
POST / PUT / UPDATE / DELETEbehind forms with one-time use tokens!!
Security//CSRF Protection!
function generateCsrf() { $token = mcrypt_create_iv( 16, MCRYPT_DEV_URANDOM); Session::flash('csrfToken', $token); return $token; }!
Security//CSRF Protection!
if ( $_POST['token'] == Session::get(‘csrfToken')) { … }!
Legit Tools
Built-in !Web Server
Built-in Server
$ php -S localhost:8000!
PHP 5.4.0 Development Server started… Listening on localhost:8000 Document root is /home/ben/htdocs Press Ctrl-C to quit
Composer
Another
Package Manager!?
Composer
Sane PackageManagement
Composer
Autoloading
Composer/ composer.json!
{ "require": { "stripe/stripe-php": "dev-master", "twilio/sdk": "dev-master" }}
Composer
$ php composer.phar update
$ php composer.phar install
Composer$client = new Services_Twilio($sid, $tkn);!
$client->account ->messages ->sendMessage(…)
Unit Testing
Unit Testing
PHPUnitBehatMink
SeleniumCodeCeptionPHPSpec
Unit Testingclass ApiAuthTest extends PHPUnit_Framework_TestCase {!
public function testVerify() {!
$auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testingclass ApiAuthTest extends PHPUnit_Framework_TestCase {!
public function testVerify() {!
$auth = new apiAuth(); $this->assertTrue($auth->verify());
Unit Testing
$ phpunit tests!
PHPUnit 3.3.17 by Sebastian Bergmann.Time: 0.01 secondsOK (1 tests, 1 assertions)
Resources
Resources
Modern FrameworksLaravel
Symfony2
Fuel PHP
SlimPHP 2
Aura for PHP
Silex
Resources
leanpub.com/ phptherightway
PHPtheRightWay.com
ResourcesBuildSecurePHPapps.com
Coupon Code: codementor $3 off
http://buildsecurephpapps.com/?coupon=codementor
Q/A TIME!Ben Edmunds @benedmunds http://benedmunds.com
http://buildsecurephpapps.com/?coupon=codementor