This course targets PHP programmers interested in learning more about how to code in PHP securely. It does require a good understanding of PHP and some experience writing PHP code. The code targets both beginning and advanced PHP programmers, but it is not appropriate for those who have not written any PHP code yet. We will not cover how to program PHP, only how to program PHP securely.

PHP as a programming language has a very easy learning curve. You can get started in minutes writing complex Web sites. Sadly, this ease of use and code-as-you-go approach frequently leads to insecure code. PHP provides a lot of freedom to do things wrong. Coding securely in PHP requires some extra thought and knowledge, which we will provide in this class. Coding in PHP without this knowledge can lead to problems, as insecure coding means exposing your data and your customers.

In our work at the SANS Internet Storm Center, not a day goes by that we do not receive a note about yet another Web site having been compromised and customer data stolen. How would you feel if an exploit was placed on your Web site and you then had to tell your customers that they may have been infected by malware simply because they accessed your site? But we do not just work the exploits. DShield.org, a big part of the Internet Storm Center, was written entirely in PHP, and the code has been available for public inspection. Lessons learned from our own mistakes have been incorporated into this course.

SEC545 covers all aspects of what is needed to code securely. We will not spend a lot of time explaining how to code in PHP. Instead we will dive right into the more advanced concepts, starting with additional PHP modules, like Suhosin, and how they can be used to harden your PHP application. We will not just tell you that input validation is important; instead, we will show you real code on how to do it right.

Hands-on exercises are used to reinforce what you have learned. You will be asked to review code. You will have to find errors and fix them yourself. We will talk about different options to authenticate users, from simple methods built into your server and browser to more complex custom authentication schemes. You will learn how to use sessions securely and how to provide access control to resources. How to log your users' actions is another quick chapter in the course. We even included a section on how to connect to Web services and how to offer your own, again, with the emphasis on how to do so securely. Want to learn more on how to avoid SQL injection? During day 2, that's exactly what we will cover. At the end of the course, we will go over some particularly tricky tasks step by step, showing you lots of sample code. How to deal with uploaded files? How to securely handle credit cards? How to send e-mail and PGP sign or encrypt it? How to execute shell commands securely? You'll learn all this. We even included a chapter on detecting attacks and shunning attackers.

The course uses a Linux virtual machine for exercises with PHP 5, Apache, and MySQL. But our focus will be on PHP. Users of Apache/PHP on Windows or users of other databases, like Oracle and Postgresql, will find that 90% of the course applies to them as well. If this is the case, you are free to bring your own set of tools to the class. Please make sure you have VMWare Workstation, VMWare Player, or VMWare Fusion (for Mac) available. VMWAre Server will not work! See the laptop requirements for details.

Pre-requisites

A good understanding of PHP and SQL is required to attend this class. A good understanding of Web-based applications is also required. Students should also have worked with PHP for at least a few months.

Who Should Attend

• PHP Programmers with some experience who would like to learn more about the security aspects of PHP
• Anyone in charge of a large PHP coding project who is looking for a hands-on "code perspective" to security
• PHP code auditors or QA personnel who need to find security flaws and need to tell programmers how to fix them