SlideShare a Scribd company logo
PUT DOWN THE SUPERGLOBALS!
      Secure PHP Dev with Inspekt

    Ed Finkler • inspekt.org • @funkatron 




      tek-X 2010 • #tekx • #inspekt • http://joind.in/1593
Vulnerabilities!




            Thursday; May 20, 2010 - Inspekt.org
What causes them?




            Thursday; May 20, 2010 - Inspekt.org
Letting bad stuff in!




              Thursday; May 20, 2010 - Inspekt.org
Where's bad stuff?




            Thursday; May 20, 2010 - Inspekt.org
EVERYWHERE!!!




         Thursday; May 20, 2010 - Inspekt.org
FIEO




       Thursday; May 20, 2010 - Inspekt.org
Keep bad stuff from getting in




                  Thursday; May 20, 2010 - Inspekt.org
Don't send bad stuff out




               Thursday; May 20, 2010 - Inspekt.org
Most of us know this




              Thursday; May 20, 2010 - Inspekt.org
PHP makes it harder
 than it should be



             Thursday; May 20, 2010 - Inspekt.org
It should be easy
to do safe things



            Thursday; May 20, 2010 - Inspekt.org
It should be hard
to do dangerous things



               Thursday; May 20, 2010 - Inspekt.org
Right now
it's harder to be safe



               Thursday; May 20, 2010 - Inspekt.org
That sucks




        Thursday; May 20, 2010 - Inspekt.org
That won't change
  anytime soon



            Thursday; May 20, 2010 - Inspekt.org
Inspekt is an attempt
   to change that



              Thursday; May 20, 2010 - Inspekt.org
Make developers show intent




                 Thursday; May 20, 2010 - Inspekt.org
Stop direct access
 to Superglobals



             Thursday; May 20, 2010 - Inspekt.org
example: SuperCage




            Thursday; May 20, 2010 - Inspekt.org
Consequences




         Thursday; May 20, 2010 - Inspekt.org
Simplify




           Thursday; May 20, 2010 - Inspekt.org
Centralize




         Thursday; May 20, 2010 - Inspekt.org
Avoid piecemeal filtering




                Thursday; May 20, 2010 - Inspekt.org
Force demonstration of intent




                  Thursday; May 20, 2010 - Inspekt.org
Auditability




          Thursday; May 20, 2010 - Inspekt.org
$_
OH NO YOU DIDN'T



          Thursday; May 20, 2010 - Inspekt.org
Scoping




          Thursday; May 20, 2010 - Inspekt.org
Superglobals are indeed
      GLOBAL



               Thursday; May 20, 2010 - Inspekt.org
Use Singleton




          Thursday; May 20, 2010 - Inspekt.org
Additional Functionality




                Thursday; May 20, 2010 - Inspekt.org
Auto-filtering




          Thursday; May 20, 2010 - Inspekt.org
example:config




         Thursday; May 20, 2010 - Inspekt.org
wrap an arbitrary array in a cage




                    Thursday; May 20, 2010 - Inspekt.org
example:filter_array_cage




               Thursday; May 20, 2010 - Inspekt.org
Build your own filters




              Thursday; May 20, 2010 - Inspekt.org
example:extending




            Thursday; May 20, 2010 - Inspekt.org
filter an array or scalar




                Thursday; May 20, 2010 - Inspekt.org
example:filter_static_methods




                 Thursday; May 20, 2010 - Inspekt.org
Questions?

http://funkatron.github.com/inspekt/



                         Thursday; May 20, 2010 - Inspekt.org

More Related Content

More from funkatron (10)

PDF
JavaScript for PHP Developers
funkatron
 
PDF
Building RIAs with CodeIgniter and JavaScript
funkatron
 
PDF
JavaScript for PHP Developers
funkatron
 
PDF
Building Desktop RIAs with JavaScript and PHP - ZendCon09
funkatron
 
PDF
Building Desktop RIAs With PHP And JavaScript
funkatron
 
PDF
Intro To Mvc Development In Php
funkatron
 
PDF
Building Desktop RIAs with PHP, HTML & Javascript in AIR
funkatron
 
PDF
Securing the PHP Environment with PHPSecInfo - OSCON 2008
funkatron
 
PDF
Building Desktop RIAs with PHP, HTML & Javascript in AIR
funkatron
 
PDF
Securing the PHP Environment with PHPSecInfo
funkatron
 
JavaScript for PHP Developers
funkatron
 
Building RIAs with CodeIgniter and JavaScript
funkatron
 
JavaScript for PHP Developers
funkatron
 
Building Desktop RIAs with JavaScript and PHP - ZendCon09
funkatron
 
Building Desktop RIAs With PHP And JavaScript
funkatron
 
Intro To Mvc Development In Php
funkatron
 
Building Desktop RIAs with PHP, HTML & Javascript in AIR
funkatron
 
Securing the PHP Environment with PHPSecInfo - OSCON 2008
funkatron
 
Building Desktop RIAs with PHP, HTML & Javascript in AIR
funkatron
 
Securing the PHP Environment with PHPSecInfo
funkatron
 

Recently uploaded (20)

PPTX
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
PDF
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
PDF
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
DOCX
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
PDF
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
PDF
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
PDF
Staying Human in a Machine- Accelerated World
Catalin Jora
 
PDF
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
PDF
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
PDF
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
PPTX
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
PPTX
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
PDF
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
PDF
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
PDF
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
PDF
Biography of Daniel Podor.pdf
Daniel Podor
 
PDF
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
PDF
Advancing WebDriver BiDi support in WebKit
Igalia
 
PDF
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
PDF
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
"Autonomy of LLM Agents: Current State and Future Prospects", Oles` Petriv
Fwdays
 
DevBcn - Building 10x Organizations Using Modern Productivity Metrics
Justin Reock
 
What Makes Contify’s News API Stand Out: Key Features at a Glance
Contify
 
Python coding for beginners !! Start now!#
Rajni Bhardwaj Grover
 
Smart Trailers 2025 Update with History and Overview
Paul Menig
 
Go Concurrency Real-World Patterns, Pitfalls, and Playground Battles.pdf
Emily Achieng
 
Staying Human in a Machine- Accelerated World
Catalin Jora
 
Newgen 2022-Forrester Newgen TEI_13 05 2022-The-Total-Economic-Impact-Newgen-...
darshakparmar
 
Achieving Consistent and Reliable AI Code Generation - Medusa AI
medusaaico
 
CIFDAQ Token Spotlight for 9th July 2025
CIFDAQ
 
From Sci-Fi to Reality: Exploring AI Evolution
Svetlana Meissner
 
The Project Compass - GDG on Campus MSIT
dscmsitkol
 
Mastering Financial Management in Direct Selling
Epixel MLM Software
 
How Startups Are Growing Faster with App Developers in Australia.pdf
India App Developer
 
LOOPS in C Programming Language - Technology
RishabhDwivedi43
 
Biography of Daniel Podor.pdf
Daniel Podor
 
“NPU IP Hardware Shaped Through Software and Use-case Analysis,” a Presentati...
Edge AI and Vision Alliance
 
Advancing WebDriver BiDi support in WebKit
Igalia
 
POV_ Why Enterprises Need to Find Value in ZERO.pdf
darshakparmar
 
Agentic AI lifecycle for Enterprise Hyper-Automation
Debmalya Biswas
 
Ad

Secure PHP Development with Inspekt