Talk in English - UK at PHP UK Conference
Track Name:
Queen Charlotte
Short URL: https://joind.in/talk/7375c
(QR-Code (opens in new window))
Imagine you are working a project that uses Doctrine for your database abstraction, you think you are safe from SQL Injection vulnerabilities.
Even when using abstractions, or parameterised queries, we can still make mistakes; this is often a problem for junior developers, but it can also happen when our code becomes complicated.
Comments
Please login to leave a comment
Enlightening. Even if you thought you were already on top of injection, you leave this talk immediately wanting to check all your code for the specific bad design choices explained and start applying methods so it doesn't happen again.
Personally I could see myself making some of the database escaping mistakes but struggled a bit more to see the Twig examples as "real world" and would have liked a little bit more detail on how to implement the suggested static analysis.
Makes you think about your code and the problems that may be hiding in it
As someone who is making the journey from Junior Dev / recent graduate (mature student) to experienced developer, this was a great reflection on the security mistakes that can all to easily be made when you're gaining experience or making false assumptions. I'm hopeful that it will save me some embarrassment down the line...
Slides at:
https://www.slideshare.net/slideshow/php-uk-2005-ending-injection-vulnerabilities/275820149
---
Matt, as to the Twig examples, they start on slide 55:
https://www.slideshare.net/slideshow/php-uk-2005-ending-injection-vulnerabilities/275820149#55
The first one is fairly boring (more of a developer not using Twig correctly), but the `<a href="{{ url }}">` example is fairly common when the URL is user controlled (e.g. a profile page, and they should set a link to their website, but instead a "javascript:" URL is provided)... and the `<img src={{ url }}>` shows an example where the attribute isn't quoted (so the default html encoding is not enough).
As to the static analysis examples, that's a good point, I'll try to provide some more next time, but if you want to see it in action, have a look at:
https://github.com/craigfrancis/php-is-literal-rfc/blob/main/examples/readme.md