PHP Security: It doesn't have to be an oxymoron

Steve Meyers (02.May.2013 at 15:00)
Talk at OpenWest Conference 2013 (English - US)

Rating: 4 of 5

PHP Security: It doesn't have to be an oxymoron

Who are you?

Claim talk

Talk claims have been moved to the new site.

Please login to the new site to claim your talk

Comments closed.


Rating: 5 of 5

02.May.2013 at 15:42 by Anonymous

Very easy to follow, great points, everything covered concisely but still enough to get out of it.

Rating: 5 of 5

02.May.2013 at 20:06 by Adam Barrett (7 comments) via api

Steve knows his stuff. Today we learned a few gems. I was hoping for more of then hows and fixes, but the preso was a great learning stub for my team.

Rating: 4 of 5

03.May.2013 at 11:20 by Trevor Carlston (4 comments)

He indicated in his presentation that he gathered the information from presentations given by Rasmus Lerdorf. I thought it was a good presentation with definite security concerns to be aware of when developing in PHP.

Rating: 3 of 5

04.May.2013 at 13:00 by Anonymous

Good information, but delivery was not very engaging.

Rating: 5 of 5

04.May.2013 at 13:30 by TJ Hunter (3 comments)

Good presentation. Covered the basics, but even as a long time PHP user, I learned a few tricks to watch out for.

I credit Steve for getting me started on PHP about 13 years ago. It was good to see you again Steve!

Rating: 4 of 5

04.May.2013 at 15:39 by Joshua Marsh (17 comments)

Several great points were made that I can do immediately to improve the security of software I'm writing. This was great.

Speaker comment:

04.May.2013 at 21:29 by Steve Meyers (46 comments)

Thanks for all the great feedback! For the anonymous feedback, I did feel that it wasn't my greatest delivery, but I'm glad you and others got some good information from it. Trevor, to clarify your comment, I stated that about half of the examples I used came from a talk Rasmus had given years ago. He's the one who really got me interested in really understanding web application security.

Rating: 4 of 5

04.May.2013 at 22:32 by Shaun Hustad (6 comments)

This was a good talk. Nothing flashy, but direct and to the point. Steve has a real confidence that comes from years of experience, and I was glad to benefit from his insight.

Rating: 4 of 5

05.May.2013 at 11:25 by Ashly Hunter (9 comments)

I think Steve did a great job at explaining some of the issues in PHP security, and enjoyed the presentation.

Rating: 2 of 5

06.May.2013 at 10:38 by JLW (16 comments)

Rasmus originally gave this talk six years ago so the tips were pretty old hat. Still relevant, but I was kind of hoping for something new or some greater detail. At one point Steve just said "you should implement access control" and that was basically it... no talk about HOW to do that.

I have to say I really took issue with Steve strongly suggesting that "other people's code" was rarely, if ever, to be trusted. It smacked of NIH syndrome and goes against the whole spirit of open source!

Speaker comment:

06.May.2013 at 11:11 by Steve Meyers (46 comments)

JLW - thanks for the feedback. I didn't intend to suggest that "other people's code was rarely, if ever, to be trusted". I stated that it is often more trustworthy. In fact, the point I was trying to make was that there are times when it is a very bad thing to invent your own code rather than using already proven code.

However, there are also times when it makes sense to use your own code rather than "some 13-year-old's code" (which is what I said in the talk). I was referring to random WordPress plugins and such that people like to install with no knowledge of how security-conscious the author is.

I apologize for not making this clear. I'll try to make that more clear in the future, along with some more details on access control. Access control is somewhat of an inexact science, however, as it really depends on your framework.

© 2019