PHP Oxford: Ending Injection Vulnerabilities with Craig Francis
Join us bi-monthly - for PHP developers of all levels. Talks, socials & more. All frameworks welcome: Laravel, WordPress, Symfony & beyond.
Date and time
Location
Agenda
6:30 PM - 7:00 PM
Arrival, refreshments and networking
7:00 PM - 7:15 PM
Introductions from Humand Talent
7:15 PM - 8:00 PM
Talk by Craig Francis
8:00 PM - 8:30 PM
Q&A and further discussions
About this event
- Event lasts 2 hours
PHP Oxford
Welcome to PHP Oxford, where fellow PHP enthusiasts gather to share knowledge, network, and have a great time! Join us for our July event where we will have an expert talk, Q&A, refreshments, and further discussions. Whether you're a seasoned developer or just starting out, this event is perfect for anyone looking to dive deeper into the world of PHP. Don't miss out on this opportunity to connect with like-minded individuals and expand your PHP skills. See you there!
Talk with Craig Francis
Ending Injection Vulnerabilities
Injection Vulnerabilities remain in the "OWASP Top 10" and the "CWE Top 25 Most Dangerous Software Weaknesses". Unfortunately database abstractions (like Doctrine), or parameterised queries, do not prevent Injection Vulnerabilities (I've got several examples); so they can create a false sense of security (especially with complicated code, or when junior developers are involved). Fortunately there is a simple solution to identify these mistakes, by “distinguishing strings from a trusted developer, from strings that may be attacker controlled” (Mike Samuel, March 2019; and Christoph Kern, September 2014). This can be done in PHP with the `literal-string` type (using PHPStan and Psalm). It's been proven to work in other languages (Facebook/Meta use the LiteralString type in Python; and Google use the "un-exported string type" in Go), it works really well with our existing code, and it guarantees there cannot be any mistakes that can lead to an Injection Vulnerability.
About Craig
I've worked as a PHP developer for over 25 years, and have worked on quite a lot of projects. I believe all website developers should work to improve Accessibility, Performance, and Security. In regards to Security, I worked on some of the first production websites to implement CSP, Trusted Types, SameSite cookies, etc (working with the Google Chrome and Firefox developers to test and raise bug reports for the implementation of these features). I'm also one of the Co-Leads for the OWASP Bristol Chapter.
This event is organised by Humand Talent.