Mastering PHP Security

Who Am I? (Why Listen to Me?) Author of PHP Security (O\’Reilly) and HTTP Developer’s. Handbook (Sams). Author of Security Corner (php|architect) and Guru …

More PDF Content

Mastering PHP Security
Page 1
Mastering PHP Security Chris Shiflett Brain Bulb The PHP Consultancy chris@brainbulb.com
Page 2
Who Am I? (Why Listen to Me?) Author of PHP Security (O’Reilly) and HTTP Developer’s Handbook (Sams) Author of Security Corner (php|architect) and Guru Speak (PHP Magazine) Founder of PHP Security Consortium Member of Zend Advisory Board and an author of the Zend PHP Certification Founder and President of Brain Bulb, The PHP Consultancy
Page 3
Talk Outline Introduction Two Best Programming Practices Two Most Common Vulnerabilities Lightning Attacks PHP Security Audit HOWTO (abridged) More Information Questions and Answers
Page 4
Two Best Practices (The Least You Can Do) Filter Input Escape Output
Page 5
Filter Input: What Is Input? Most input is obvious – form data ($_GET and $_POST), cookies ($_COOKIES), RSS feeds, etc. Some data is harder to identify – $_SERVER, data from databases, etc. Some data is frequently misunderstood – $_SESSION, etc. The key is to identify the origin of data. If it originates from any external source, it is input and must be filtered.
Page 6
Filter Input: What Is Filtering? Filtering is the process by which you inspect data to prove its validity. When possible, use a whitelist approach – assume data to be invalid unless you can prove otherwise. Filtering is useless if you can’t keep up with what has been filtered and what hasn’t. Employ a strict naming convention that lets you easily and reliably distinguish between filtered and tainted data.
Page 7
Filter Input: Show Me the Code! $clean = array(); switch($_POST['color']) { case ‘red’: case ‘green’:

Download Mastering PHP Security pdf from conf.phpquebec.com, 48 pages, 88.09KB.
Related Books

Leave a Reply