Dutch PHP Conference: The Slides

June 16th, 2009 | by Stefan Esser |


At this years Dutch PHP Conference I presented a PHP Security Crash Course for beginners and a session about secure programming with the Zend Framework. You can download all the slides from here.

PHP Security Crash Course for beginners

Secure Programming with the Zend Framework

Enjoy the slides and shoot any questions or improvement ideas my way…

  1. 16 Responses to “Dutch PHP Conference: The Slides”

  2. By GeekFG on Jun 16, 2009 | Reply

    Thanks a lot (particularly for the Zend one!)

  3. By Peter on Jun 17, 2009 | Reply

    Thanks! Helpful resource.

  4. By Hvdklauw on Jun 17, 2009 | Reply

    Thanks Stefan.
    As I said during Secure Programming with the Zend Framework, escaping all view variables is a bad idea, because they might be objects, and passing them through escape will probably trigger to __toString method, which will give unexpected results :)

    You could probably do a is_string check but then you would end up with strings from objects not being escaped.

  5. By Hvdklauw on Jun 17, 2009 | Reply

    Oh.. also..

    You can’t destroy the Zend_Session and start it again, that will throw an error. If the session fails to start then your whole app is probably gonna fail, so you might as well make it fail directly.

  6. By Stefan Esser on Jun 17, 2009 | Reply

    Well after the session someone came to me and explained me their method.

    They add an interface “Viewable” to all their objects that are allowed in the view and that has all the magic inside.

  7. By msakamoto-sf on Jun 17, 2009 | Reply

    Thanks very much for good resources with php web programming!

  8. By Hvdklauw on Jun 17, 2009 | Reply

    Ahh ok, I guess that could work, although you still have to check that they implemented the function required by the Viewable interface is correct ;)

  9. By Steve Clay on Jun 17, 2009 | Reply

    Eek. My previous assumption was that session.use_trans_sid = 0 and session.use_only_cookies = 1 would eliminate all fixation attacks, but a crafty XSS exploit could set a new session cookie (even w/ httpOnly), then alert the attacker that the session is live.

    The requirement of the pre-existing ’strict’ session var is a great solution to this.

  10. By Alex on Aug 29, 2009 | Reply

    Thanks for the Secure Programming with the Zend Framework.

    Can you upload this Slide to http://www.slideshare.net, because it was cool to embed it in websites.

  11. By Shaun on Sep 18, 2009 | Reply

    Thanks for the PHP security crash course. It helped me pass the PHP exam.

  1. 6 Trackback(s)

  2. Jun 17, 2009: lllnorikolll@WordPress ยป Secure Programming with the Zend Framework
  3. Jun 17, 2009: DPC Sessions and Slides - techPortal
  4. Jun 18, 2009: More Reliable Authentication in Zend Framework « LAMPlights
  5. Jun 26, 2009: Ibuildings - Blog - ibuildings.nl
  6. Aug 22, 2009: Was ist “Cross Site Request Forgery” (CSRF)? at PHP Gangsta
  7. Nov 1, 2009: Mehr Erfolg im eBusiness mit Donauweb IT Solutions » Blog Archive » Server gehackt

Post a Comment