Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Don't Trust Your Users

476 views

Published on

Some of the most common vulnerabilities in web applications are caused by applications not properly inspecting the data that users send in. PHP has an entire suite of tools to help inspected, filter, and sanitize data that comes from the user and other outside parties. Using built-in methods and extra tools you can protect your app from harmful data and users.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Don't Trust Your Users

  1. 1. Don't Trust Your Users Chris Tankersley ZendCon 2014
  2. 2. 2 Who Am I? ● A PHP Developer for 10 Years ● Lots of projects no one uses, and a few some do ● https://github.com/dragonmantank
  3. 3. 3 Everyone Loves a Story http://northweststate.edu/about-nscc/
  4. 4. 4 Programming is Just Acronyms ● DRY – Don't Repeat Yourself ● KISS – Keep It Simple, Stupid ● IPO – Input, Process, Output
  5. 5. 5 GIGO – Garbage In, Garbage Out
  6. 6. 6 Users Are a Nice Big Family
  7. 7. 7 Some People Want To Watch The World Burn
  8. 8. 8 We Love Contact Forms
  9. 9. 9 Client Side Validation
  10. 10. 10 HTML5 Validation <input type="email" required> <input type="text" pattern="d{5}([-]d{4})?)">
  11. 11. 11 Browsers Suck http://caniuse.com/#search=required
  12. 12. 12 Server Side is Necessary http://cucher.iblogger.org/images/as400_family.jpg
  13. 13. 13 Filtering vs Validation
  14. 14. 14 Removes Unwanted 'Stuff'
  15. 15. 15 Filtering changes things https://www.flickr.com/photos/httpwwwflickrcompeoplenadar/3349883/sizes/l
  16. 16. 16 Filtering changes things
  17. 17. 17 Validation Judges Things
  18. 18. 18 Most Libraries Do Both
  19. 19. 19 PHP's Filter Module
  20. 20. 20 Some Background ● Enabled by default since 5.2.0 ● Provides both Validation and Filtering ● Very easy to use to work with data ● Exposed via the 7 basic functions
  21. 21. 21 Validation is Easy and Fun! <?php var_dump(filter_var('755', FILTER_VALIDATE_INT)); var_dump(filter_var('755.0', FILTER_VALIDATE_INT)); int(755) bool(false)
  22. 22. Basic Validation Out of the Box 22
  23. 23. 23 We can clean up data as well filter_var('ID 655', FILTER_SANITIZE_NUMBER_INT); string(3) '655'
  24. 24. 24 What can we clean up?
  25. 25. 25 What can we clean up?
  26. 26. 26 Manual Filters function myFilter($string) { return substr($string, 5); } $output = filter_var('This is my test string', FILTER_CALLBACK, array( 'options' => 'myFilter', ))); string(12) 'is my string'
  27. 27. 27 Does big jobs as well
  28. 28. 28 Aura.Filter
  29. 29. 29 Easy To Use
  30. 30. 30 Rule Types ● Soft Rules – Doesn’t Stop Validation Chain ● Hard Rules – Stop Validation Chain For This Element ● Stop Rules – Stop All Validation
  31. 31. 31 Validation and Filtering ● RuleCollection::IS – Must match the rule ● RuleCollection::IS_NOT – Must not match ● RuleCollection::IS_BLANK_OR – Must be blank or match ● RuleCollection::FIX – Sanitize The Data ● RuleCollection::FIX_IS_BLANK_OR – Fix if not blank
  32. 32. 32 Bundled Rules ● Alnum ● Alpha ● Between ● Blank ● Bool ● Credit Card ● DateTime ● Email ● Equal To Field ● Equal To Value ● Float ● In Array Keys ● In Array Values ● Int ● ipv4 ● Locale ● Max ● Min ● Regex ● Strict Equals ● String(length, min,max) ● Trim ● Upload ● Url
  33. 33. 33 Custom Rules ● Extend AuraFilterAbstractRule ● Implement validate() and sanitize() ● Add to the Rule Locator
  34. 34. 34 Check it out https://github.com/auraphp/Aura.Filter
  35. 35. 35 Use Your Framework's
  36. 36. 36 Zend Framework 2
  37. 37. 37 ZendValidator
  38. 38. 38 ZendValidator
  39. 39. 39 ZendValidator
  40. 40. 40 Model Validation
  41. 41. 41 Symfony2 Validation
  42. 42. Symfony2 Validator Read the docs - http://symfony.com/doc/current/book/validation.html 42
  43. 43. 43 Symfony2 Validator
  44. 44. 44 Use with Forms
  45. 45. 45 Always Look First
  46. 46. 46 One Last Thing
  47. 47. 47 Validation is Hard
  48. 48. 48 Questions?
  49. 49. 49 Thanks! ● https://joind.in/talk/view/12063 ●@dragonmantank ● chris@ctankersley.com

×