The goal of this talk is to educate developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, session hijacking, and insecure direct object references. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. Once we've established an understanding of how these attacks work, we'll look at concrete steps you can take to secure web applications against such vulnerabilities. The knowledge gained from this talk can also be used for participating in "Capture the Flag" security competitions.
All projects start with a lot of enthusiasm. As many projects grow the technical debt gets bigger and the enthusiasm gets less. Almost any developer can develop a great project, but the key is maintaining an ever evolving application with minimal technical debt without loosing enthusiasm.
During this talk you will be taken on the journey of application design. The starting point is an application that looks fine but contains lots of potential pitfalls. We will address the problems and solve them with beautiful design. We end up with testable, nicely separated software with a clear intention.
Un gioco in cui vincono tutti o due piccioni con una fava ;)
Lavorare rivolti alla creazione di valore per il cliente e da questo ottenere una libreria quasi pronta per essere pubblicata
What should you test with your unit tests? Some people will say that unit behaviour is best tested through it's outcomes. But what if communication between units itself is more important than the results of it? This session will introduce you to two different ways of unit-testing and show you a way to assert your object behaviours through their communications.
We, as developers, often think that we don’t have to or don’t need to know what are what they call design patterns. We think that we already know how to build a software and don’t need all this theory. Years after years, by having to deal with the low maintainability of my own codebases, I explored a lot of ways of decoupling applications, in order to have enterprise-grade software that last for years. With concrete examples, I want to share with you some design patterns and how they can help you to grow well structured and decoupled applications.
You must’ve heard of Unit testing… If not, then this talk is definitely for you! If you do know Unit testing, you probably ran at some point into a hurdle: “Where do I start?” And despite your best efforts, you end up not having enough tests for your application – Then that change request comes in, requiring you to change that very same complex piece of code for which you are lacking tests! How do you going refactor while maintaining all those ‘undocumented’ business rules? This talk will show how Codeception can be leveraged to refactor the visuals aspects of an application, maintaining backwards compatibility on API changes and even assist in moving to a whole different server infrastructure.
All projects start with a lot of enthusiasm. As many projects grow the technical debt gets bigger and the enthusiasm gets less. Almost any developer can develop a great project, but the key is maintaining an ever evolving application with minimal technical debt without loosing enthusiasm.
During this talk you will be taken on the journey of application design. The starting point is an application that looks fine but contains lots of potential pitfalls. We will address the problems and solve them with beautiful design. We end up with testable, nicely separated software with a clear intention.
Un gioco in cui vincono tutti o due piccioni con una fava ;)
Lavorare rivolti alla creazione di valore per il cliente e da questo ottenere una libreria quasi pronta per essere pubblicata
What should you test with your unit tests? Some people will say that unit behaviour is best tested through it's outcomes. But what if communication between units itself is more important than the results of it? This session will introduce you to two different ways of unit-testing and show you a way to assert your object behaviours through their communications.
We, as developers, often think that we don’t have to or don’t need to know what are what they call design patterns. We think that we already know how to build a software and don’t need all this theory. Years after years, by having to deal with the low maintainability of my own codebases, I explored a lot of ways of decoupling applications, in order to have enterprise-grade software that last for years. With concrete examples, I want to share with you some design patterns and how they can help you to grow well structured and decoupled applications.
You must’ve heard of Unit testing… If not, then this talk is definitely for you! If you do know Unit testing, you probably ran at some point into a hurdle: “Where do I start?” And despite your best efforts, you end up not having enough tests for your application – Then that change request comes in, requiring you to change that very same complex piece of code for which you are lacking tests! How do you going refactor while maintaining all those ‘undocumented’ business rules? This talk will show how Codeception can be leveraged to refactor the visuals aspects of an application, maintaining backwards compatibility on API changes and even assist in moving to a whole different server infrastructure.
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHPKonfRafael Dohms
As developers we write code everyday, only to frown at it a week after that. Why do we have such a hard time with code written by others and ourselves, this raging desire to rewrite everything we see? Writing code that survives the test of time and self judgment is a matter of clarity and simplicity. Let's talk about growing, learning and improving our code with calisthenics, readability and good design.
https://speakerdeck.com/willroth/50-laravel-tricks-in-50-minutes - origin
Laravel 5.1 raised the bar for framework documentation, but there's much, much more lurking beneath the surface. In this 50-minute session, we'll explore 50 (yes, 50!) high-leverage implementation tips & tricks that you just won't find in the docs: the IoC Container, Blade, Eloquent, Middleware, Routing, Commands, Queues, Events, Caching — we'll cover them all! Join us as we drink from the fire hose & learn to take advantage of everything that Laravel has to offer to build better software faster!
Your code sucks, let's fix it - DPC UnConRafael Dohms
How do you measure the quality of your code? Performance and testing are just one aspect of code, in order to meet deadlines and make maintenance quicker you also need your code to be readable, decoupled and generally easier to comprehend and work with. This talk will go over tips and exercises to help you identify trouble areas, refactor them and train you to write better code in future projects. Come make your code look and function better.
Software development is riddled with explicit and implicit costs. Every decision you make has a cost attached to it. When you're writing code, you're making an investment, the size of which will for a long time define the costs of your future growth. In this talk you will learn how to see, understand and game some of these forces in your favour.
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHP Yo...Rafael Dohms
As developers we write code everyday, only to frown at it a week after that. Why do we have such a hard time with code written by others and ourselves, this raging desire to rewrite everything we see? Writing code that survives the test of time and self judgment is a matter of clarity and simplicity. Let's talk about growing, learning and improving our code with calisthenics, readability and good design.
Software development is riddled with explicit and implicit costs. Every decision you make has a cost attached to it. When you're writing code, you're making an investment, the size of which will for a long time define the costs of your future growth. Making right decision about these investments is very tricky and the cost of wrong decisions might be crippling for both business and teams that support it.
Extreme Programming and Test Driven Development in particular are practices that are aiming at supporting development effort by making it easier to introduce change. That said, sometimes those tools can become a problem of its own when applied in the wrong way or for the wrong context. Understanding software cost forces is a very important skill of successful teams and something that helps understand how to apply XP and TDD in different contexts.
Presentation made at GTA meetup in 2012-02-07.
Object Calisthenics is a set of exercise rules to reach better code, maintainable, testable and readable.
How do you measure the quality of your code? Performance and testing are just one aspect of code, in order to meet deadlines and make maintenance quicker you also need your code to be readable, decoupled and generally easier to comprehend and work with. This talk will go over tips and exercises to help you identify trouble areas, refactor them and train you to write better code in future projects. Come make your code look and function better.
This session will introduce you to the new Form component in Symfony2. With the new domain-driven paradigma and its flexible design, the component opens a door to a wide range of possibilities. The brand new architecture makes creating complex forms easier and faster than ever before. This talk will teach you today what you need to know to build powerful forms tomorrow.
Performance and testing are just one aspect of code, to really be successful your code needs to be readable, maintainable and generally easier to comprehend and work with. This talk draws from my own experience in applying the techniques of object calisthenics and code readability, within an existing team. It will help you identify trouble areas, learn how to refactor them and train you to write better code in future projects avoiding common pitfalls.
The IoC Hydra - Dutch PHP Conference 2016Kacper Gunia
Slides from my talk presented during Dutch PHP Conference in Amsterdam - 25 June 2016
More Domain-Driven Design related content at: https://domaincentric.net/
Everything you always wanted to know about forms* *but were afraid to askAndrea Giuliano
La componente dei Form di Symfony2 rende possibile la costruzione di diverse tipologie di form in modo del tutto semplice. La sua architettura flessibile e altamente scalabile permette di poter gestire strutture adatte ad ogni tipo di esigenza. Tuttavia, conoscere come utilizzare appieno tutta la sua potenza non è banale. In questo talk verrà trattato in profondità la componente Form di Symfony2, mostrando i suoi meccanismi di base e come utilizzarli per estenderli ed introdurre la propria logica di business, così da costruire form cuciti a misura delle tue necessità.
The security component tackles the complex problems of authentication and authorization by spreading concerns across a number of single responsibility objects. This is a flexible design, but difficult for beginners to navigate. This presentation will bring the security component to life for us all to understand! Join us to see some of your favorite members of the Symfony community perform the security component in a series of scenes, interspliced with some technical descriptions of what's going on.
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most-appropriate tool, taking a logical & objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests. Attendees will learn how to combine these techniques with the right mindset and attitude in order to debug their code quickly and effectively.
If you want to get things done and have your project up-and-running in no time, then you might want to take a look at Microsoft Azure. For PHP apps it's easy to set up and get going.
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHPKonfRafael Dohms
As developers we write code everyday, only to frown at it a week after that. Why do we have such a hard time with code written by others and ourselves, this raging desire to rewrite everything we see? Writing code that survives the test of time and self judgment is a matter of clarity and simplicity. Let's talk about growing, learning and improving our code with calisthenics, readability and good design.
https://speakerdeck.com/willroth/50-laravel-tricks-in-50-minutes - origin
Laravel 5.1 raised the bar for framework documentation, but there's much, much more lurking beneath the surface. In this 50-minute session, we'll explore 50 (yes, 50!) high-leverage implementation tips & tricks that you just won't find in the docs: the IoC Container, Blade, Eloquent, Middleware, Routing, Commands, Queues, Events, Caching — we'll cover them all! Join us as we drink from the fire hose & learn to take advantage of everything that Laravel has to offer to build better software faster!
Your code sucks, let's fix it - DPC UnConRafael Dohms
How do you measure the quality of your code? Performance and testing are just one aspect of code, in order to meet deadlines and make maintenance quicker you also need your code to be readable, decoupled and generally easier to comprehend and work with. This talk will go over tips and exercises to help you identify trouble areas, refactor them and train you to write better code in future projects. Come make your code look and function better.
Software development is riddled with explicit and implicit costs. Every decision you make has a cost attached to it. When you're writing code, you're making an investment, the size of which will for a long time define the costs of your future growth. In this talk you will learn how to see, understand and game some of these forces in your favour.
“Writing code that lasts” … or writing code you won’t hate tomorrow. - PHP Yo...Rafael Dohms
As developers we write code everyday, only to frown at it a week after that. Why do we have such a hard time with code written by others and ourselves, this raging desire to rewrite everything we see? Writing code that survives the test of time and self judgment is a matter of clarity and simplicity. Let's talk about growing, learning and improving our code with calisthenics, readability and good design.
Software development is riddled with explicit and implicit costs. Every decision you make has a cost attached to it. When you're writing code, you're making an investment, the size of which will for a long time define the costs of your future growth. Making right decision about these investments is very tricky and the cost of wrong decisions might be crippling for both business and teams that support it.
Extreme Programming and Test Driven Development in particular are practices that are aiming at supporting development effort by making it easier to introduce change. That said, sometimes those tools can become a problem of its own when applied in the wrong way or for the wrong context. Understanding software cost forces is a very important skill of successful teams and something that helps understand how to apply XP and TDD in different contexts.
Presentation made at GTA meetup in 2012-02-07.
Object Calisthenics is a set of exercise rules to reach better code, maintainable, testable and readable.
How do you measure the quality of your code? Performance and testing are just one aspect of code, in order to meet deadlines and make maintenance quicker you also need your code to be readable, decoupled and generally easier to comprehend and work with. This talk will go over tips and exercises to help you identify trouble areas, refactor them and train you to write better code in future projects. Come make your code look and function better.
This session will introduce you to the new Form component in Symfony2. With the new domain-driven paradigma and its flexible design, the component opens a door to a wide range of possibilities. The brand new architecture makes creating complex forms easier and faster than ever before. This talk will teach you today what you need to know to build powerful forms tomorrow.
Performance and testing are just one aspect of code, to really be successful your code needs to be readable, maintainable and generally easier to comprehend and work with. This talk draws from my own experience in applying the techniques of object calisthenics and code readability, within an existing team. It will help you identify trouble areas, learn how to refactor them and train you to write better code in future projects avoiding common pitfalls.
The IoC Hydra - Dutch PHP Conference 2016Kacper Gunia
Slides from my talk presented during Dutch PHP Conference in Amsterdam - 25 June 2016
More Domain-Driven Design related content at: https://domaincentric.net/
Everything you always wanted to know about forms* *but were afraid to askAndrea Giuliano
La componente dei Form di Symfony2 rende possibile la costruzione di diverse tipologie di form in modo del tutto semplice. La sua architettura flessibile e altamente scalabile permette di poter gestire strutture adatte ad ogni tipo di esigenza. Tuttavia, conoscere come utilizzare appieno tutta la sua potenza non è banale. In questo talk verrà trattato in profondità la componente Form di Symfony2, mostrando i suoi meccanismi di base e come utilizzarli per estenderli ed introdurre la propria logica di business, così da costruire form cuciti a misura delle tue necessità.
The security component tackles the complex problems of authentication and authorization by spreading concerns across a number of single responsibility objects. This is a flexible design, but difficult for beginners to navigate. This presentation will bring the security component to life for us all to understand! Join us to see some of your favorite members of the Symfony community perform the security component in a series of scenes, interspliced with some technical descriptions of what's going on.
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most-appropriate tool, taking a logical & objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests. Attendees will learn how to combine these techniques with the right mindset and attitude in order to debug their code quickly and effectively.
If you want to get things done and have your project up-and-running in no time, then you might want to take a look at Microsoft Azure. For PHP apps it's easy to set up and get going.
Building and deploying Magento in Modern Web environment, using composer, continuous integration and deployment, hubot and slack all fully tested. Separating out your themes on a different release cycle. Stubbing your themes for faster iteration. We will also cover what's new in Magento 2.0 and why you should start using it now.
Discussing my experience journeying from medical academia to a more IT-rich environment, making that career switch and discovering new and interesting sights about the "real world of IT".
Your own recommendation engine with neo4j and reco4php - DPC16Christophe Willemsen
Graph Databases are naturally well-suited for building recommendation engines. In this talk, Christophe will share his experience building a number of production-ready recommendation engines using Neo4j and introduce the open-source GraphAware Reco4PHP Library, which enables PHP developers to rapidly build their own recommender systems.
This presentation starts by a brief explanation of why graphs are a suitable data model for building recommender systems. A summary of typical recommendation engine requirements follows, including the business and technical challenges these requirements introduce. Afterwards, the talk dives into possible solutions of these challenges, both from business and architectural/design perspectives, and introduces the GraphAware Reco4PHP Library.
What follows is a demonstration of how this open-source recommendation engine skeleton solves many of the issues and how it handles the "plumbing", so that developers can focus on expressing the business logic specific to their domain.
A majority of examples in this talk are drawn from real-world use cases and the speaker's personal experience building recommendation engines. Attendees should have a very basic understanding of graph theory. Prior experience with Neo4j and the Cypher query language is a plus, but not necessary.
Attendees will learn:
* what is a recommendation engine and what it is good for
* why graphs are a good fit for building one
* what business and technical challenges one faces building a recommender
* what possible solutions there are for these challenges
* how to build a high-performance graph-based recommendation engine in minutes
* real-world case studies
DPC 2016 - 53 Minutes or Less - Architecting For Failurebenwaine
An increasing amount of web and business applications are hosted on the cloud. It’s easy: a few clicks, api calls or a script written with your favourite IaaS provider and your application is launched and available to your consumers.
That’s the problem, it’s deceptively easy to make an application available. It’s much harder to make an application reliably available. The much touted “four nines” - 99.99% availability means your application must be consistently available for all but 53 minutes a year.
Using AWS as an example this talk covers the choices you must make when hosting an application from the network up. Choices around Regions, Availability Zones, Service Discovery, Deployment and Maintenance all have a major impact on up time.
The practice of “Chaos Engineering” made famous by Netflix is demonstrated as a way to validate the choices you’ve made and help prepare you for the worst.
Modelling by Example is a set of practices that combine BDD (Behaviour Driven Development) and DDD (Domain Driven Design) techniques to creat a workflow that directly drives code from a starting point of user requirements. We will see how a simple feature can be defined via conversation with stakeholders, captured as automatable requirements, and expressed directly in the object model using tools such as Behat and PhpSpec
Uncon talk at DPC16.
Microservices are one of the current silver bullets. The cure for everything. Many have thought about creating them and some have tried and failed. This talk is about our attempt to go to microservices and the pittfalls one will encounter. It gives some tips on making it a success but even more on accepting your faillure and just improve.
Sabe aquele projeto de final de semana que você sempre quis fazer e nunca deu tempo ou prioridade? Nessa palestra, será mostrado como um projeto de final de semana chamou a atenção da comunidade no Github, como ele ajudou a compreender melhor o funcionamento interno do PHP e as melhorias de código que podem ser feitas para performance. E tudo isso jogando Game Boy em um emulador feito em PHP.
Elasticsearch, all the cool kids talks about it, tutorials for beginners aplenty but what about beyond the first install and putting your first document in? This advanced talk will give you an insight on the steps that come next: a dive into analysers, performance for percolation and the gold nuggets for your cluster infrastructure. This is our experience with Elasticsearch in a 2.4 billion (yes, that would be nine zeroes indeed) page view environment with over 22 million documents. We're not the experts but we can tell you a hell of a lot about our mistakes. Basic knowledge of Elasticsearch is assumed.
Functional programming, though far from new, has gained much traction recently. Functional programming characteristics have started to appear in the PHP world, too. Microframeworks including Silex and Slim, middleware architectures (Stack) and even standards (PSR-7) rely on concepts such as lambdas, referential transparency and immutability, all of which come from functional programming.
I’ll give you a crash course in Erlang, a pragmatic functional language to make you feel familiar with the functional paradigm. By comparing code samples between Erlang and PHP, you’ll find out how and why you should employ functional programming in your PHP applications. You’ll see that functional programming is nothing to be scared of. On the contrary, understanding its concepts broadens your programming horizon and provides you with valuable solutions to your problems.
Palestra sobre os pilares que moldam e constroem a Programação Orientada a Objetos (OOP pros íntimos) além do conceito do que é um objeto e quais suas propriedades. A palestra ainda conta com uma relação de princípios e padrões de projeto que ajudam a detectar quebra de algum dos pilares do paradigma e como e quando utiliza-los.
What happens when the very frameworks, tools and patterns we cherish take the reins and forces us to focus on all the boilerplate scaffolding things, distracting us from really solving the real problems? Sometimes the outside-in approach can lead us to code that is more complex and coupled than it has to be.
Eager Design offers a fresh approach. Instead of being led by the delivery mechanisms, frameworks and patterns, we focus on the problems worth solving. Inspired by functional programming and Domain Driven Design, the principles of Eager Design helps us isolate and solve complex problems in a more focused and decouple manner.
Partindo de um código legado com uma organização frágil e pouco reutilizável iremos aprimorá-lo de forma incremental e com foco nas regras de negócio. Utilizaremos princípios de projeto orientado a objetos para torná-lo mais fácil de testar e reutilizar deixando o seu código mais robusto e escalável.
The PHP world is spinning quite fast these days. There’s a lot to keep up with. You can’t be an expert in all subjects, so you need a way to find out what’s relevant for you and your team. Which approaches to software development would be useful? Which programming paradigms could help you write better code? And which architectural styles will help your application to survive in this quickly changing world? In this talk I’ll help you answer these questions by taking a bird’s-eye view. I will quickly guide you along some of the most fascinating topics in modern PHP development: DDD, BDD, TDD, hexagonal architecture, CQRS, event sourcing and micro-services. We’ll see how these things are related to each other, and how understanding and applying them can help you improve your software projects in many ways.
Slide da palestra Hackeando Sua Aplicação PHP na Prática no PHPSP + IMA
Venha fazer um review das principais falhas de segurança web nessa palestra 100% prática. Hackearei ao vivo um site com falhas para que você possa aprender como testar sua aplicação na busca dessas falhas, como explorá-las para entender os riscos e impactos que elas podem ter e como as evitar através de contramedidas na configuração da linguagem e no seu código.
Hacking Your Way To Better Security - php[tek] 2016Colin O'Dell
This talk educates developers on common security vulnerabilities, how they are exploited, and how to protect against them. We will explore several of the OWASP top 10 attack vectors, such as SQL injection, XSS, CSRF, and session hijacking. Each topic will be approached from the perspective of an attacker to learn how these vulnerabilities are detected and exploited using several realistic examples. We will then apply this knowledge to learn how web applications can be secured against such vulnerabilities.
Hacking Your Way To Better Security - DrupalCon Baltimore 2017Colin O'Dell
This talk educates junior and mid-level developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, and others. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. We'll then apply this knowledge to see how web applications can be secured against such vulnerabilities.
Hacking Your Way to Better Security - ZendCon 2016Colin O'Dell
This talk educates developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, and others. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. We'll then apply this knowledge to see how web applications can be secured against such vulnerabilities.
The most massive crime of identity theft in history was perpetrated in 2007 by exploiting an SQL Injection vulnerability. This issue is one of the most common and most serious threats to web application security. In this presentation, you'll see some common myths busted and you'll get a better understanding of defending against SQL injection.
SQL Injection in action with PHP and MySQLPradeep Kumar
A hands-on example for SQL injection using PHP and MySQL
It also offers an overview how it gets into in our applications and how we can overcome SQL Injection.
Mike Creuzer's presentation from the December, 2009 Suburban Chicago PHP & Web Dev Meetup. The topic is SQL injection in PHP and common PHP content management systems.
Visit Mike's blog at http://mike.creuzer.com/
ASCII is so 1963. Nowadays, computers must support a broad range of different characters beyond the 128 we had in the early days of computing - not just accents and emojis but also completely different writing systems used around the globe. The Unicode standard packs a whopping 143,859 characters into an elegant system used by over 95% of the Internet, but PHP's string functions don't play nicely with Unicode by default, making it difficult for developers to properly handle such a wide array of possible user inputs.
In this talk, we'll explore why Unicode is important, how the various encodings like UTF-8 work under-the-hood, how to handle them within PHP, and some nifty tricks and shortcuts to preserve performance.
Releasing High Quality Packages - Longhorn PHP 2021Colin O'Dell
Releasing open-source libraries is more than sharing your GitHub URL with the world. There are many considerations and steps involved especially for successful and long-lived projects.
In this talk, we’ll cover the principles behind creating, releasing, and maintaining high-quality libraries. Topics will include structuring the repository, implementing modern PHP standards, maintaining changelogs, using CI tests, releasing new versions, and more.
Releasing High Quality PHP Packages - ConFoo Montreal 2019Colin O'Dell
Releasing open-source libraries is more than sharing your Github URL with the world. There are many considerations and steps involved especially for successful and long-lived projects.
In this talk we’ll cover the principles behind creating, releasing and maintaining high-quality libraries. Topics will include structuring the repository, implementing modern PHP standards, maintaining changelogs, using CI tests, releasing new versions and more.
Debugging Effectively - ConFoo Montreal 2019Colin O'Dell
Software bugs are inevitable; some are especially difficult to track down causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! Fatigue and wasted time can be avoided with strategies and techniques to break through those mental barriers. Attendees will learn how to combine these techniques with the right mindset and attitude in order to debug their code quickly and effectively
Automating Deployments with Deployer - php[world] 2018Colin O'Dell
Have you ever botched a deployment and taken a site offline? I have - more times then I'd like to admit. What if we could completely automate the deployment process, make it lightning fast, remove most of the risk, and do it all without custom bash scripts? Better yet, what if we could use the same exact deployment process locally or trigger it via CI? All of this is possible with Deployer - a PHP-based deployment tool which supports virtually every CMS and framework! Attendees will learn the basics of Deployer, how to customize deployments to fit their needs, and how to handle situations if things go wrong.
Releasing open-source libraries involves much more than sharing your Github URL with the world. There are many considerations and steps involved, especially if you want your project to be successful and long-lived. In this talk, we'll cover the principles behind creating, releasing, and maintaining high-quality libraries. Topics will include structuring the repository, implementing modern PHP standards, maintaining changelogs, using CI tests, releasing new versions, and other best practices. Attendees will walk away with enough knowledge to publish their own quality PHP packages on Packagist for others to use.
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most-appropriate tool, taking a logical & objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests.
CommonMark: Markdown Done Right - ZendCon 2017Colin O'Dell
Markdown is one of the most popular markup languages on the web. Unfortunately, with no standard specification, every implementation works differently, producing varying results across different platforms. The CommonMark specification fixes this by providing an unambiguous syntax specification and a comprehensive suite of tests. In this session you'll learn about this standard and how to integrate the league/commonmark parser into their PHP applications. We'll also cover how to customize the library to implement new features like custom Markdown syntax or advanced renderers.
Rise of the Machines: PHP and IoT - ZendCon 2017Colin O'Dell
The Internet of Things (IoT) is fundamentally changing how we interact with the digital world. In this session we’ll explore the implementation of real examples which bridge the gap between the physical and digital world using PHP: asking Alexa for information within a PHP application; displaying API data on an Arduino-powered display; using PHP to control LEDs on a Raspberry Pi to monitor application uptime; and connecting IR sensors to Slack to see whether a conference room is in use.
Debugging Effectively - All Things Open 2017Colin O'Dell
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn’t have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most-appropriate tool, taking a logical & objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests.
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most-appropriate tool, taking a logical & objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests. Attendees will learn how to combine these techniques with the right mindset and attitude in order to debug their code quickly and effectively.
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most-appropriate tool, taking a logical & objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests. Attendees will learn how to combine these techniques with the right mindset and attitude in order to debug their code quickly and effectively.
Automating Your Workflow with Gulp.js - php[world] 2016Colin O'Dell
Gulp is a powerful utility for automating development workflows. Tasks are written using code, not configuration, enabling the easy creation of highly-custom and flexible automations. This talk introduces developers to the core concepts of gulp.js, and how to leverage it for new & existing projects. We’ll cover several examples of common tasks for managing CSS, JS and PHP, including: compiling Sass, minifying files, running PHP tests, checking code styles, ensuring legacy browser support & more.
Rise of the Machines: PHP and IoT - php[world] 2016Colin O'Dell
The Internet of Things (IoT) is fundamentally changing how we interact with the digital world. In this talk, we’ll explore the implementation of live examples which bridge the gap between the physical and digital world using PHP: asking Alexa for information on php[world] conference sessions; displaying API data on an Arduino-powered display; using PHP to control LEDs on a Raspberry Pi to monitor application uptime; and connecting IR sensors to Slack to see whether a conference room is in use.
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most appropriate tool, taking a logical and objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests. Attendees will learn how to combine these techniques with the right mindset and attitude in order to debug their code quickly and effectively.
Hacking Your Way to Better Security - PHP South Africa 2016Colin O'Dell
This talk educates developers on common security vulnerabilities, how they are exploited, and how to protect against them. We'll explore several of the OWASP Top 10 attack vectors like SQL injection, XSS, CSRF, and more. Each topic will be approached from the perspective of an attacker to see how these vulnerabilities are detected and exploited using several realistic examples. We'll then apply this knowledge to see how web applications can be secured against such vulnerabilities.
Debugging Effectively - DrupalCon Europe 2016Colin O'Dell
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most-appropriate tool, taking a logical & objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests. Attendees will learn how to combine these techniques with the right mindset and attitude in order to debug their code quickly and effectively.
CommonMark: Markdown done right - Nomad PHP September 2016Colin O'Dell
Markdown is one of the most popular markup languages on the Web. Unfortunately, with no standard specification, every implementation works differently, producing varying results across different platforms. The CommonMark specification fixes this by providing an unambiguous syntax specification and a comprehensive suite of tests. Attendees will learn about this standard and how to integrate the league/commonmark parser into their applications. We will also cover how to add new syntax and other features to the parser to fit your custom needs.
Debugging Effectively - Frederick Web Tech 9/6/16Colin O'Dell
Software bugs are inevitable; some are especially difficult to track down, causing you to waste countless hours before throwing your hands up in defeat. It doesn't have to be this way! The mental fatigue and wasted time can be avoided by using strategies like identifying the most-appropriate tool, taking a logical & objective approach, challenging assumptions, listening to variables, isolating the code path, and reinforcing code with automated tests. Attendees will learn how to combine these techniques with the right mindset and attitude in order to debug their code quickly and effectively.
Markdown is one of the most popular markup languages on the Web. Unfortunately, with no standard specification, every implementation works differently, producing varying results across different platforms. The CommonMark specification fixes this by providing an unambiguous syntax specification and a comprehensive suite of tests. Attendees will learn about this standard and how to integrate the league/commonmark parser into their applications. We will also cover how to add new custom features.
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
AI Genie Review: World’s First Open AI WordPress Website CreatorGoogle
AI Genie Review: World’s First Open AI WordPress Website Creator
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-genie-review
AI Genie Review: Key Features
✅Creates Limitless Real-Time Unique Content, auto-publishing Posts, Pages & Images directly from Chat GPT & Open AI on WordPress in any Niche
✅First & Only Google Bard Approved Software That Publishes 100% Original, SEO Friendly Content using Open AI
✅Publish Automated Posts and Pages using AI Genie directly on Your website
✅50 DFY Websites Included Without Adding Any Images, Content Or Doing Anything Yourself
✅Integrated Chat GPT Bot gives Instant Answers on Your Website to Visitors
✅Just Enter the title, and your Content for Pages and Posts will be ready on your website
✅Automatically insert visually appealing images into posts based on keywords and titles.
✅Choose the temperature of the content and control its randomness.
✅Control the length of the content to be generated.
✅Never Worry About Paying Huge Money Monthly To Top Content Creation Platforms
✅100% Easy-to-Use, Newbie-Friendly Technology
✅30-Days Money-Back Guarantee
See My Other Reviews Article:
(1) TubeTrivia AI Review: https://sumonreview.com/tubetrivia-ai-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIGenieApp #AIGenieBonus #AIGenieBonuses #AIGenieDemo #AIGenieDownload #AIGenieLegit #AIGenieLiveDemo #AIGenieOTO #AIGeniePreview #AIGenieReview #AIGenieReviewandBonus #AIGenieScamorLegit #AIGenieSoftware #AIGenieUpgrades #AIGenieUpsells #HowDoesAlGenie #HowtoBuyAIGenie #HowtoMakeMoneywithAIGenie #MakeMoneyOnline #MakeMoneywithAIGenie
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Custom Healthcare Software for Managing Chronic Conditions and Remote Patient...Mind IT Systems
Healthcare providers often struggle with the complexities of chronic conditions and remote patient monitoring, as each patient requires personalized care and ongoing monitoring. Off-the-shelf solutions may not meet these diverse needs, leading to inefficiencies and gaps in care. It’s here, custom healthcare software offers a tailored solution, ensuring improved care and effectiveness.
Launch Your Streaming Platforms in MinutesRoshan Dwivedi
The claim of launching a streaming platform in minutes might be a bit of an exaggeration, but there are services that can significantly streamline the process. Here's a breakdown:
Pros of Speedy Streaming Platform Launch Services:
No coding required: These services often use drag-and-drop interfaces or pre-built templates, eliminating the need for programming knowledge.
Faster setup: Compared to building from scratch, these platforms can get you up and running much quicker.
All-in-one solutions: Many services offer features like content management systems (CMS), video players, and monetization tools, reducing the need for multiple integrations.
Things to Consider:
Limited customization: These platforms may offer less flexibility in design and functionality compared to custom-built solutions.
Scalability: As your audience grows, you might need to upgrade to a more robust platform or encounter limitations with the "quick launch" option.
Features: Carefully evaluate which features are included and if they meet your specific needs (e.g., live streaming, subscription options).
Examples of Services for Launching Streaming Platforms:
Muvi [muvi com]
Uscreen [usencreen tv]
Alternatives to Consider:
Existing Streaming platforms: Platforms like YouTube or Twitch might be suitable for basic streaming needs, though monetization options might be limited.
Custom Development: While more time-consuming, custom development offers the most control and flexibility for your platform.
Overall, launching a streaming platform in minutes might not be entirely realistic, but these services can significantly speed up the process compared to building from scratch. Carefully consider your needs and budget when choosing the best option for you.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
May Marketo Masterclass, London MUG May 22 2024.pdfAdele Miller
Can't make Adobe Summit in Vegas? No sweat because the EMEA Marketo Engage Champions are coming to London to share their Summit sessions, insights and more!
This is a MUG with a twist you don't want to miss.
Utilocate offers a comprehensive solution for locate ticket management by automating and streamlining the entire process. By integrating with Geospatial Information Systems (GIS), it provides accurate mapping and visualization of utility locations, enhancing decision-making and reducing the risk of errors. The system's advanced data analytics tools help identify trends, predict potential issues, and optimize resource allocation, making the locate ticket management process smarter and more efficient. Additionally, automated ticket management ensures consistency and reduces human error, while real-time notifications keep all relevant personnel informed and ready to respond promptly.
The system's ability to streamline workflows and automate ticket routing significantly reduces the time taken to process each ticket, making the process faster and more efficient. Mobile access allows field technicians to update ticket information on the go, ensuring that the latest information is always available and accelerating the locate process. Overall, Utilocate not only enhances the efficiency and accuracy of locate ticket management but also improves safety by minimizing the risk of utility damage through precise and timely locates.
Transform Your Communication with Cloud-Based IVR SolutionsTheSMSPoint
Discover the power of Cloud-Based IVR Solutions to streamline communication processes. Embrace scalability and cost-efficiency while enhancing customer experiences with features like automated call routing and voice recognition. Accessible from anywhere, these solutions integrate seamlessly with existing systems, providing real-time analytics for continuous improvement. Revolutionize your communication strategy today with Cloud-Based IVR Solutions. Learn more at: https://thesmspoint.com/channel/cloud-telephony
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
Navigating the Metaverse: A Journey into Virtual Evolution"Donna Lenk
Join us for an exploration of the Metaverse's evolution, where innovation meets imagination. Discover new dimensions of virtual events, engage with thought-provoking discussions, and witness the transformative power of digital realms."
A Study of Variable-Role-based Feature Enrichment in Neural Models of CodeAftab Hussain
Understanding variable roles in code has been found to be helpful by students
in learning programming -- could variable roles help deep neural models in
performing coding tasks? We do an exploratory study.
- These are slides of the talk given at InteNSE'23: The 1st International Workshop on Interpretability and Robustness in Neural Software Engineering, co-located with the 45th International Conference on Software Engineering, ICSE 2023, Melbourne Australia
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
2. Colin O’Dell
@colinodell
Lead Web Developer at Unleashed Technologies
PHP developer since 2002
league/commonmark maintainer
PHP 7 Upgrade Guide e-book author
php[world] 2015 CtF winner
3. Goals
Explore several top security vulnerabilities
from the perspective of an attacker.
1. Understand how to detect and exploit
common vulnerabilities
2. Learn how to protect against those
vulnerabilities
4. Disclaimers
1.NEVER test systems that aren’t
yours without explicit permission.
2.Examples in this talk are fictional, but
the vulnerability behaviors shown are
very real.
10. SQL Injection Basics
$value = $_REQUEST['value'];
SELECT * FROM x WHERE y = '[MALICIOUS CODE HERE]' ";
$sql = "SELECT * FROM x WHERE y = '$value' ";
$database->query($sql);
14. tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "password'" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = 'password'';
$
$
15. tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "password'" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = 'password'';
$
~~
$
18. tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "' test" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = '' test';
$
$
19. tail –n 1 /var/log/apache2/error.log
MySQL error: You have an error in your SQL
syntax; check the manual that corresponds to
your MySQL server version for the right syntax
to use near "' test" at line 1.
tail –n 1 /var/log/mysql/query.log
SELECT * FROM users WHERE username = 'admin'
AND password = '' test';
$
$
~~~~~~~~
20. ~~~~~~~~
SELECT * FROM users WHERE username = 'admin'
AND password = '' test';
SELECT * FROM users WHERE username = 'admin'
AND password = '';
SELECT * FROM users WHERE username = 'admin'
AND password = '' OR (something that is true);
SELECT * FROM users WHERE username = 'admin'
AND (true);
SELECT * FROM users WHERE username = 'admin';
21. SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
' test
22. SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
' test
SELECT * FROM users WHERE username = 'admin' AND
password = '' test ';
~~~~~~~~~~~~~~~
23. SELECT * FROM users WHERE username = 'admin' AND
password = ' ';
SELECT * FROM users WHERE username = 'admin' AND
password = ' ';
24. SELECT * FROM users WHERE username = 'admin' AND
password = '' ';
'
SELECT * FROM users WHERE username = 'admin' AND
password = '' ';
~~~
25. SELECT * FROM users WHERE username = 'admin' AND
password = '' ' ';
' '
SELECT * FROM users WHERE username = 'admin' AND
password = '' ' ';
~~~~~~~~~~~~~~
26. SELECT * FROM users WHERE username = 'admin' AND
password = '' OR ' ';
' OR '
SELECT * FROM users WHERE username = 'admin' AND
password = '' OR ' ';
27. SELECT * FROM users WHERE username = 'admin' AND
password = '' OR '1'='1';
' OR '1'='1
SELECT * FROM users WHERE username = 'admin' AND
password = '' OR '1'='1';
33. Username
Password
Log In
admin
' AND (SELECT id FROM user LIMIT 1) = '
Unknown error.
ErrorsQuery
SELECT * FROM users WHERE username = 'admin' AND
password = '' AND (SELECT id FROM user LIMIT 1) = '';
38. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/123
SELECT * FROM books WHERE id = 123
$id = …;
$sql = "SELECT title, author, price
FROM books WHERE id = " . $id;
$data = $database->query($sql);
{
'title' => 'The Great Gatsby',
'author' => 'F. Scott Fitzgerald',
'price' => 9.75
}
39. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999
SELECT * FROM books WHERE id = 99999
$id = …;
$sql = "SELECT title, author, price
FROM books WHERE id = " . $id;
$data = $database->query($sql);
{
}
40. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/?????
SELECT * FROM books WHERE id = ?????
$id = …;
$sql = "SELECT title, author, price
FROM books WHERE id = " . $id;
$data = $database->query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}
41. SQL UNION Query
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Column 1 Column 2 Column 3
Foo Bar 123
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Foo Bar 123
UNION
42. SQL UNION Query
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
Column 1 Column 2 Column 3
(SELECT) 1 1
Column 1 Column 2 Column 3
The Great Gatsby F. Scott Fitzgerald 9.75
(SELECT) 1 1
UNION
44. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT number FROM
creditcards
SELECT * FROM books WHERE id = ?????
$id = …;
$sql = "SELECT title, author, price
FROM books WHERE id = " . $id;
$data = $database->query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}
45. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT number AS
'title', 1 AS 'author', 1 AS 'price' FROM creditcards
SELECT * FROM books WHERE id = ?????
$id = …;
$sql = "SELECT title, author, price
FROM books WHERE id = " . $id;
$data = $database->query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}
46. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT number AS
'title', 1 AS 'author', 1 AS 'price' FROM creditcards
SELECT * FROM books WHERE id = 99999
UNION SELECT number AS 'title', 1 AS
'author', 1 AS 'price' FROM
creditcards
$id = …;
$sql = "SELECT title, author, price
FROM books WHERE id = " . $id;
$data = $database->query($sql);
{
'title' => '',
'author' => '',
'price' => 0.00
}
47. SQL Injection - Data Disclosure
http://www.onlinebookstore.com/books/99999 UNION SELECT number AS
'title', 1 AS 'author', 1 AS 'price' FROM creditcards
SELECT * FROM books WHERE id = 99999
UNION SELECT number AS 'title', 1 AS
'author', 1 AS 'price' FROM
creditcards
$id = …;
$sql = "SELECT title, author, price
FROM books WHERE id = " . $id;
$data = $database->query($sql);
{
'title' => '4012-3456-7890-1234',
'author' => 1,
'price' => 1
}
48. $val = $_REQUEST['value'];
$sql = "SELECT * FROM x WHERE y = '$val' ";
$database->query($sql);
Protecting Against
SQL Injection
Block input with special
characters
49. Protecting Against
SQL Injection
Block input with special
characters
Escape user input
$value = $_REQUEST['value'];
$escaped = mysqli_real_escape_string($value);
$sql = "SELECT * FROM x WHERE y = '$escaped' ";
$database->query($sql);
' OR '1' = '1 ' OR '1' = '1
mysqli_real_escape_string()
SELECT * FROM x
WHERE y = '' OR '1' = '1'
50. Protecting Against
SQL Injection
Block input with special
characters
Escape user input
$value = $_REQUEST['value'];
$escaped = mysqli_real_escape_string($value);
$sql = "SELECT * FROM x WHERE y = '$escaped' ";
$database->query($sql);
' OR '1' = '1 ' OR '1' = '1
mysqli_real_escape_string()
SELECT * FROM x
WHERE y = '' OR '1' = '1'
51. Protecting Against
SQL Injection
Block input with special
characters
Escape user input
Use prepared statements
$mysqli = new mysqli("localhost", "user", "pass", "db");
$q = $mysqli->prepare("SELECT * FROM x WHERE y = '?' ");
$q->bind_param(1, $_REQUEST['value']);
$q->execute();
Native PHP:
● mysqli
● pdo_mysql
Frameworks / Libraries:
● Doctrine
● Eloquent
● Zend_Db
52. Other Types of Injection
NoSQL databases
OS Commands
LDAP Queries
SMTP Headers
53. XSS
Cross-Site Scripting
Injecting code into the
webpage (for other users)
• Execute malicious
scripts
• Hijack sessions
• Install malware
• Deface websites
54. XSS Attack
Basics
$value = $_POST['value'];
$value = $rssFeed->first->title;
$value = db_fetch('SELECT x FROM table');
<?php echo $value ?>
Raw code/script
is injected onto a page
55. XSS – Cross-Site Scripting Basics
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>
61. XSS – Cross-Site Scripting
short.ly
<script>alert('hello world!');</script> Shorten
Short URL: http://short.ly/3bs8a
Original URL:
hello world!
OK
X
62. XSS – Cross-Site Scripting
short.ly
<script>alert('hello world!');</script> Shorten
Short URL: http://short.ly/3bs8a
Original URL:
73. CSRF
Cross-Site Request Forgery
Execute unwanted actions
on another site which user
is logged in to.
• Change password
• Transfer funds
• Anything the user can
do
74. CSRF – Cross-Site Request Forgery
Hi Facebook! I am
colinodell and my
password is *****.
Welcome Colin!
Here’s your
news feed.
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
75. CSRF – Cross-Site Request Forgery
Hi other website!
Show me your
homepage.
Sure, here you go!
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>
77. CSRF – Cross-Site Request Forgery
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>
Tell Facebook we want to
change our password to
hacked123
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
78. CSRF – Cross-Site Request Forgery
<form id="evilform"
action="https://facebook.com/password.php"
method="post">
<input type="password" value="hacked123">
</form>
<script>
document.getElementById('evilform').submit();
</script>
Hi Facebook! Please
change my
password to
hacked123.
Snipicons by Snip Master licensed under CC BY-NC 3.0.
Cookie icon by Daniele De Santis licensed under CC BY 3.0.
Hat image from http://www.yourdreamblog.com/wp-content/uploads/2013/04/blackhat.png
Logos are copyright of their respective owners.
Done!
80. CSRF – Cross-Site Request Forgery
short.ly
Please wait while we redirect you to
X
81. Protecting
Against CSRF
Attacks
Use randomized CSRF
tokens
<input type="hidden" name="token"
value="ao3i4yw90sae8rhsdrf">
1. Generate a random string per user.
2. Store it in their session.
3. Add to form as hidden field.
4. Compare submitted value to session
1. Same token? Proceed.
2. Different/missing? Reject the request.
89. Protecting Against
Insecure Direct
Object References
Check permission on
data input
• URL / route parameters
• Form field inputs
• Basically anything that’s an ID
• If they don’t have permission,
show a 403 (or 404) page
90. Protecting Against
Insecure Direct
Object References
Check permission on
data input
Check permission on
data output
• Do they have permission to
access this object?
• Do they have permission to
even know this exists?
• This is not “security through
obscurity”
98. Private information that is stored, transmitted, or backed-up in
clear text (or with weak encryption)
• Customer information
• Credit card numbers
• Credentials
Sensitive Data Exposure
99. Security Misconfiguration & Components with Known Vulnerabilities
Default accounts enabled; weak passwords
• admin / admin
Security configuration
• Does SSH grant root access?
• Are weak encryption keys used?
Out-of-date software
• Old versions with known issues
• Are the versions exposed?
• Unused software running (FTP server)
103. Protecting Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep software up-to-date
• Install critical updates immediately
• Install other updates regularly
104. Protecting Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep software up-to-date
Keep sensitive data out
of web root
• Files which provide version numbers
• README, CHANGELOG, .git, composer.lock
• Database credentials & API keys
• Encryption keys
105. Protecting Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep software up-to-date
Keep sensitive data out
of web root
Use strong encryption
• Encrypt with a strong private key
• Encrypt backups and data-in-transit
• Use strong hashing techniques for
passwords
106. Protecting Against
Sensitive Data Exposure, Security
Misconfiguration, and
Components with Known
Vulnerabilities
Keep software up-to-date
Keep sensitive data out
of web root
Use strong encryption
Test your systems
• Scan your systems with automated
tools
• Test critical components yourself
• Automated tests
• Manual tests
107. Next Steps
Test your own applications for vulnerabilities
Learn more about security & ethical hacking
Enter security competitions (like CtF)
Stay informed
14 years
For those who aren’t familiar, Capture the Flag is a security competition
I’m not sharing this brag, but rather
Showing you don’t have to be a professional security researcher or pentester to be knowledgeable about security
In fact, I think it’s critically important that all developers... Especially in this day and age
I’d like to share some of that security knowledge with you today
“Goals of this intermediate-level talk”
“Asking forgiveness is easier than asking for permission”
Not if you’re in jail
----
I might mention some real sites, but none are actually vulnerable
Just make it easier to explain things since you’re probably familiar with how they’re supposed to function
OUTRO: So for this talk, we’re going to talk through several of the OWASP Top 10 vulnerabilities
[CONT] So for this talk, we’re going to talk through several of the OWASP Top 10 vulnerabilities
Non-profit organization
Provide free articles, resources, and tools for web security
[NEXT]
Example
Each risk is documented with a description, detailed examples, mitigation techniques, and references to other helpful resources
[Quickly]
#1 - You may notice this looks a lot like this one here… but with a little extra
What if we could insert something other than “test” here – perhaps an “OR” condition that evaluates to TRUE?
If so, that would cancel out the password check
Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not directly visible to the attacker.
Instead, you use SQL injections to basically ask yes/no questions and use the different site behaviors to obtain the answers.
Syntax error -
Single quote is missing its pair; query is structured differently than expected
Table or column doesn’t exist
If we know site is vulnerable and see this (#2), SQL injection almost worked
Table and column names are valid
Assertion failed
SQL injection worked (definitely)
Database and column names are valid
Assertion succeeded or conditional bypassed
So let’s abuse this to learn more about the database
Let’s try to figure out table and column names
Probably a user table
Let’s try to figure out table and column names
Probably a user table
Let’s try to figure out table and column names
Probably a user table
Let’s try to figure out table and column names
Probably a user table
Different error, so table definitely exists
Repeat this process to learn more
But previous method is all guesswork
What if… just show the data?
OUTRO: So that’s the desired functionality
But what if this site was vulnerable?
What could we do?
Well…
Maybe we could somehow set the id to cause a SQL injection that ouputs other information we want.
[CLICK TO ANIMATE]
But how you ask?
With the SQL UNION operator…
CLICK TO ANIMATE EXPLANATION
[Double-escape]
OUTRO: Or better yet…
NO EXAMPLE!
[VISUAL EXAMPLE NEXT]
So when the server sends the code,
The browser runs it as-is
Just like all other HTML/JS that intentionally runs
(EXPLAIN CODE)
This JS should create an alert popup window
(SUBMIT)
AUDIO STARTS NEXT SLIDE
Ex 1: REDDIT
NO 2ND EXAMPLE!!!!!!!
Some data loss
Pastebin, Gist, etc
Safer, no data loss
Laravel blade – also automatic, similar syntax
OUTRO: Can also be done by using XSS
[FAST]
[CSRF TOKENS NEXT!!!]
[Cross site request forgery]
What if we…
Would that be safe?
NO! POST requests are vulnerable too.
This is one of many common misconceptions some developers have.
For example…
#1 – yeah, but a form can make post requests
#2 – no, JS can submit the form
Hidden value, only shown on our website, that only us and the current page know
OTHER SITES CANT SEE THIS VALUE, ONLY THE USER (due to browser’s same-origin policy)
NOT SAVED TO COOKIE OR AVAILABLE OUTSIDE WEBSITE!
(AFTER BULLETS)
Remember, the attacker doesn’t have access to their session or the HTML you generated dynamically for the particular user.
Hidden value, only shown on our website, that only us and the current page know
OTHER SITES CANT SEE THIS VALUE, ONLY THE USER (due to browser’s same-origin policy)
NOT SAVED TO COOKIE OR AVAILABLE OUTSIDE WEBSITE!
(AFTER BULLETS)
Remember, the attacker doesn’t have access to their session or the HTML you generated dynamically for the particular user.
Let’s imagine Facebook is vulnerable to [READ TITLE]
Just change the 9 to an 8…
Even though Facebook never linked us here, we still got here
And FB didn’t check again at _this_ point in time
OUTRO: Fake example – FB doesn’t do this…
Facebook does check whether you’re authorized to see the image
OUTRO: Not just limited to URLs…
If bank is vulnerable, and form is submitted,
They won’t check the ID and allow the transfer to go through
Bad!
#2 – I like Symfony because it whitelists values in values in dropdowns (…)
#3 – Good guideline, but not all-encompassing rule
#3 – That means hiding the objects / IDs as the only measure of security
What I mean is not disclosing information users shouldn’t see, or showing actions they can’t take
Actually three different vuln
Similar enough
Is private data being exposed to the world?
OUTRO:
So that’s sensitive data exposure.
In a similar vein we have…
NO DROWN!
You might be thinking OMG they explain the attack?
Yes, but it’s a good thing!
Problem is: your version is exposed, hackers may know you’re vulnerable
#1 – If there’s a patch available, there’s also a hacker who can understand the original problem and create an exploit
#2 – Otherwise software falls into decay and is extremely hard to upgrade when the next critical update rolls out
END: But really, you should hide them
Good advice in general for all security topics we’ve covered
And that wraps up the last set of vulenerabilities we’re covering today