Ending Injection Vulnerabilities

Enlightening. Even if you thought you were already on top of injection, you leave this talk immediately wanting to check all your code for the specific bad design choices explained and start applying methods so it doesn't happen again.

Personally I could see myself making some of the database escaping mistakes but struggled a bit more to see the Twig examples as "real world" and would have liked a little bit more detail on how to implement the suggested static analysis.

Makes you think about your code and the problems that may be hiding in it

As someone who is making the journey from Junior Dev / recent graduate (mature student) to experienced developer, this was a great reflection on the security mistakes that can all to easily be made when you're gaining experience or making false assumptions. I'm hopeful that it will save me some embarrassment down the line...

Slides at:

https://www.slideshare.net/slideshow/php-uk-2005-ending-injection-vulnerabilities/275820149

---

Matt, as to the Twig examples, they start on slide 55:

https://www.slideshare.net/slideshow/php-uk-2005-ending-injection-vulnerabilities/275820149#55

The first one is fairly boring (more of a developer not using Twig correctly), but the `<a href="{{ url }}">` example is fairly common when the URL is user controlled (e.g. a profile page, and they should set a link to their website, but instead a "javascript:" URL is provided)... and the `<img src={{ url }}>` shows an example where the attribute isn't quoted (so the default html encoding is not enough).

As to the static analysis examples, that's a good point, I'll try to provide some more next time, but if you want to see it in action, have a look at:

https://github.com/craigfrancis/php-is-literal-rfc/blob/main/examples/readme.md