PHP UK Conference 2013

Técnicas defensivas de programación para PHP

Richard Johnson  · 
PHP

Transcripción

Extracto de la transcripción automática del vídeo realizada por YouTube.

first of all this talk contains a lot of swearing and very impassioned Australian yeah so sorry about that don't mean to cause any offence if I do cause offence sorry yeah living right on so welcome the first thing about me I'm not a security expert

guys I'm just a developer I've been working with PHP for a wild look I didn't study security or programming even a at university I did multimedia with a sail major but you know like many of us got sucked into PHP through you know just a the way

that the world works he end up sort of doing these things and been doing that for about 12 years give or take and I've been hacked a lot so basically this talk is is trying to maybe make people aware of the things that I wasn't aware of back and back

in the day and hopefully those people who are uber ninjas at PHP might you know just enjoy the ride so the main goal of today's talk is to scare the hell out of you it like honestly if you guys go home today sort of questioning your own existence looking

at yourself as saying why the am i doing this I've succeeded alright because you know programming securely is a difficult thing and if you're scared if you're examining everything that you're doing in detail that means you're being defensive

that is what defensive development is about alright so the topics were going to cover today things to avoid with PHP just to brush over that we're going to talk about string escaping obviously which is dull but kind of important and then we're going

to talk more about strings which of course is good and then cool code injections bits like that some infrastructure stuff touch on that lightly and finally a bit of a case study feel free to scream out at any point in time I'll probably ignore you until

the end okay third first why am I saying that PHP is able so basically a few points fundamentally PHP in the pastures encourage developers to remain ignorant of really important value issues like you know string escaping for example we'll get a little

more into that and in a bit but yeah that's pretty nasty it has made terrible design decisions like Auto Register variables and things like that this is getting better of course as the language of vowels but you know they haven't done that so well

it has a lot of quirks gotchas inconsistencies and unknowns you know haystack needle needle haystack all that sort of stuff everyone loves that right yeah and some nods in the audience okay for example okay this is a classic sort of sequel injection as you

can see got a user ID there it's in a function but you know you're not really sure what the user ID is so a classic way of you know say phoniness would be to cast it to an int which is not the correct way but we'll get onto that in a bit however

a lot of people will take this kind of approach right that should be good enough you know in most cases if you know UID is not an integer it'll just return zero right all right once there let's go on here okay what have we got okay so PHP - eight right

yeah cool right zero why is there a one not negative one right see anyway that's by the by that's cool say it was like an array right yeah zero as well right yeah nice yeah anyone in that cool so so you can imagine you know that if you did have a particular

function you'd end up getting the first record which a lot of the times is your admin user right some basic things to avoid coding without notices the shut-the-fuck-up symbol right love that thing basically and it's it's pretty much everywhere

I mean this is a link to a blob of code ignitor I've got that up on another thing here but basically this little guy we can't see that this little guy here is called the major hassles in the past because it just it you don't know where the usernames

incorrect or your host names incorrect or something like that and when you're in a live configuration and everything's breaking that takes a lot of digging but yeah okay extract obviously who's ever used to extract guys no no oh yeah right don't

please double double sign which is really cool who thought the double dollar sign was amazing when you first read about it in the PHP manual yeah right yeah yeah don't know honestly the these things just clobber your variables you've got no idea what

the hell is going on right in there you can have no confidence that your variables are going to stay in the same state if you have code like this going around so yeah just a basic ones backtick system and eval everyone knows that you know if you use that you're

just asking for trouble right it's like yeah it really hard to escape properly really hard to work with and if you can avoid it please do a type juggling is also a classic one you know before it would have been good if we'd you know just made sure

that it was an integer and then you know throw an exception or something like that instead of relying on PHP is sort of type mangling and finally being lazy we're all PHP coders and sort of being lazy is kind of in our blood right it's a scripting

language that's what we are but it leads to issues so you know just when you come across a bit of code think twice about it all right first of all right string escaping SQL inject what now okay so right it's 2013 right yeah why do we still have SQL

injection attacks right like everything that you hear about all the news well that sort of stuff is sequel injection attack has resulted in this database being compromised or something like that it's not too hard to fix and a bit of history and PHP was

kind of been vetted in 1995 yay yay yay yes Java was invented in 1995 as well yeah oh come on guys so in 1996 just a year later Java came out with JDO Java dot or objects with them this fantastic little function called prepares famous hands up anyone know

[ ... ]

Nota: se han omitido las otras 2.942 palabras de la transcripción completa para cumplir con las normas de «uso razonable» de YouTube.