Hey Web Devs, PHPers and LAMPsters,
Join us on Wednesday 20th August 2025! We will be meeting upstairs in Zerodegrees in Reading, for talks, Q&A and networking🐘
Free to attend and open to anyone interested in Software Development at any level!
📃 Agenda 📃
From 6:30pm - Arrival @ Zerodegrees
7:00pm - Talk from Craig Francis on "Ending Injection Vulnerabilities"
About Craig:
I've been a PHP developer for over 25 years, focusing on Accessibility, Performance, and Security - areas I believe should be core concerns for every developer; but programming languages and frameworks should provide safer defaults by design. I helped create the first production websites to implement a Content Security Policy (CSP), Trusted Types, and SameSite cookies; which involved feedback, testing, and bug reporting to the Google Chrome and Firefox teams. I'm also a Co-Lead of the OWASP Bristol Chapter.
About the Talk:
Injection Vulnerabilities continue to rank high on both OWASP Top 10 and CWE Top 25. Contrary to popular belief, database abstractions like Doctrine, and templating engines like Twig, do not inherently prevent SQL Injection or Cross-Site Scripting (XSS). This often leads to a false sense of security - especially in complex codebases or when junior developers (or AI tools) are involved.Fortunately, there's a simple and effective technique to catch these issues early: “distinguishing strings from a trusted developer, from strings that may be attacker controlled” (Mike Samuel, March 2019; and Christoph Kern, September 2014). This talk shows how the `literal-string` type can be used, with static analysis tools like PHPStan and Psalm, to prevent Injection Vulnerabilities.
Followed by Q+A
7:40pm - Break
7:50pm - Talk by Oliver Davies: Details TBC
8:30pm - Close
📢 Become a Speaker! 📢
Have something to say? We want to listen! We are always looking for new speakers who want to share their adventures with PHP. Please contact joseph@humand.co.uk
This event is organised + sponsored by Humand Talent.
