Embed Size (px)
DESCRIPTION
Some of the most common vulnerabilities in web applications are caused by applications not properly inspecting the data that users send in. PHP has an entire suite of tools to help inspected, filter, and sanitize data that comes from the user and other outside parties. Using built-in methods and extra tools you can protect your app from harmful data and users.
Citation preview
Don't Trust Your Users
Chris Tankersley
ZendCon 2014
2
Who Am I?
● A PHP Developer for 10 Years● Lots of projects no one uses, and a few some do
● https://github.com/dragonmantank
3
Everyone Loves a Story
http://northweststate.edu/about-nscc/
4
Programming is Just Acronyms
● DRY – Don't Repeat Yourself● KISS – Keep It Simple, Stupid● IPO – Input, Process, Output
5
GIGO – Garbage In, Garbage Out
6
Users Are a Nice Big Family
7
Some People Want To Watch The World Burn
8
We Love Contact Forms
9
Client Side Validation
10
HTML5 Validation
<input type="email" required>
<input type="text" pattern="\d{5}([\-]\d{4})?)">
11
Browsers Suck
http://caniuse.com/#search=required
12
Server Side is Necessary
http://cucher.iblogger.org/images/as400_family.jpg
13
Filtering vs Validation
14
Removes Unwanted 'Stuff'
15
Filtering changes things
https://www.flickr.com/photos/httpwwwflickrcompeoplenadar/3349883/sizes/l
16
Filtering changes things
17
Validation Judges Things
18
Most Libraries Do Both
19
PHP's Filter Module
20
Some Background
● Enabled by default since 5.2.0● Provides both Validation and Filtering● Very easy to use to work with data● Exposed via the 7 basic functions
21
Validation is Easy and Fun!
<?phpvar_dump(filter_var('755', FILTER_VALIDATE_INT));var_dump(filter_var('755.0', FILTER_VALIDATE_INT));
int(755)bool(false)
22
Basic Validation Out of the Box
23
We can clean up data as well
filter_var('ID 655', FILTER_SANITIZE_NUMBER_INT);
string(3) '655'
24
What can we clean up?
25
What can we clean up?
26
Manual Filters
function myFilter($string) {return substr($string, 5);
}
$output = filter_var('This is my test string', FILTER_CALLBACK, array('options' => 'myFilter',
)));
string(12) 'is my string'
27
Does big jobs as well
28
Aura.Filter
29
Easy To Use
30
Rule Types
● Soft Rules – Doesn’t Stop Validation Chain ● Hard Rules – Stop Validation Chain For This
Element● Stop Rules – Stop All Validation
31
Validation and Filtering
● RuleCollection::IS – Must match the rule● RuleCollection::IS_NOT – Must not match● RuleCollection::IS_BLANK_OR – Must be blank
or match● RuleCollection::FIX – Sanitize The Data● RuleCollection::FIX_IS_BLANK_OR – Fix if not
blank
32
Bundled Rules
● Alnum● Alpha● Between● Blank● Bool● Credit Card● DateTime● Email
● Equal To Field● Equal To Value● Float● In Array Keys● In Array
Values● Int● ipv4● Locale
● Max● Min● Regex● Strict Equals● String(length,
min,max)● Trim● Upload● Url
33
Custom Rules
● Extend Aura\Filter\AbstractRule● Implement validate() and sanitize()● Add to the Rule Locator
34
Check it out
https://github.com/auraphp/Aura.Filter
35
Use Your Framework's
36
Zend Framework 2
37
Zend\Validator
38
Zend\Validator
39
Zend\Validator
40
Model Validation
41
Symfony2 Validation
42
Symfony2 Validator
Read the docs - http://symfony.com/doc/current/book/validation.html
43
Symfony2 Validator
44
Use with Forms
45
Always Look First
46
One Last Thing
47
Validation is Hard
48
Questions?
