BEST PRACTICESFor IT Teams

and

PHP DEVS

ControllersShould

BeSkin

Abuse SERVICES

ABUSE SERVICES

CONTROLLERSTOO

IOC TIME

RECEIVE AND DON’T

ASK

AVOID- new -

BAD, BAD, BAD

GOOD

BETTER

Taht’s all we really have to know

SECURITY

XSS

Sanitize input

URLs: url_encodeValue attribute (html): html_special_chars

See: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

SQL INJECTION

Dependency injection is nice, SQL injection not soALWAYS use bound parameters

IF you need to build SQL Queries, use a builder. Don’t “roll your own”

Use PDO.

Use PDO::quote to escape literals in `IN` clause. If these are numbers, use `intval()` or

`floatval`.

Do not trust data, even from database.

Other security tips● Use secure cookies (http://cookiecontroller.com/internet-cookies/secure-cookies/)

● Sign your cookies & encrypt them !

(httpOnly & secure attributes + hmac signature & AES encryption)

● Check on UI and backend

(Hiding a button is not enough to prevent an action)

●

UNSORTED

Know your stuff● DO IT RIGHT : www.phptherightway.com

● DO IT SECURE : https://www.owasp.org/

● RTFM : http://be2.php.net/manual/en/

● CS can help : https://sourcemaking.com/

Teams are smarter than individuals● Reuse components

○ http://symfony.com/components

○ http://www.yiiframework.com/extensions/

● Don’t reinvent the wheel

○ Involve standards

■ https://tools.ietf.org/

■ http://www.php-fig.org/psr/

■ https://www.jcp.org/en/jsr/overview (yes, you can borrow from other technos!)

● Don’t re-implement the framework

○ Eg. $_SERVER[‘REQUEST_METHOD’]==’POST’ ? $repo->save($user) : $repo->get($user->id)

● Don’t misuse framework hooks (Eg. save entities in a “validate” method)

Handle error and unusual activity properly● Log odd events with at least a “WARNING” level;

● Throw exceptions on exceptional situations;

○ Create your own exceptions unless you can reuse an existing one;

○ Log details which can help debugging;

● With good logging, reading the code becomes optional;

● Do not attempt to “automagically” fix some “bad call”

○ If you don’t know : good place for throwing an exception !

● Validate input on public methods;

● All “switch” have to feature a “default” case;

● Bail out as early as possible; (if ... return)

Tricks● Feel compelled to make a comment ? → make a function !

● Too many indents ?→ make a function or bail out early !

● Using break ? → make a function !

● Need to inherit more than one class ? → use composition !

● Too many controller dependencies ? → split your controller !

● Code hard to read ? → good naming, functions !

● Troubles to use a class ?→ Don’t use magic methods (__get, __invoke, …) !

(Magic methods should be used to make proxies and advanced stuff)