SlideShare a Scribd company logo

Memphis php html form processing with php

Joe Ferguson
Joe Ferguson

This document discusses best practices for processing HTML forms with PHP. It begins by introducing the presenter and describing common types of forms. It then discusses how to safely, securely, and reliably get input from users, emphasizing the importance of sanitizing and validating user data to prevent vulnerabilities like SQL injection. It provides examples of bad code and explains why it is insecure. The document then demonstrates how to properly sanitize and validate form input in PHP to avoid these risks. It concludes by offering tips, tricks, and additional resources on secure form handling.

TechnologyBusiness
1 of 55
Download to read offline
HTML Form Processing with PHP Tips, Tricks, and Bad Ideas
Who is this guy? Joe Ferguson - joe@joeferguson.me Professionally ● Web Developer at RocketFuel ● PHP / LAMP Focused Semi Professional ● Co-Organizer for MemphisPHP.org ● MidsouthMakers - Hackerspace Leader ● HACKmemphis.com Organizer
Types of Forms ● ● ● ● ● Login Form Contact Form Questionnaire Sign Up Form Order Form Every application that interacts with the user uses forms in some manner.
The Problem (Use Case) I have a PHP Application that needs input: How do I… ● safely ● securely ● reliably ... get that input or other data from my users?
Little Bobby Tables... http://xkcd.com/327/
Bad Ideas: Code stolen from someone I follow on twitter that was pointing out bad code…
Whiskey... What is this code even doing?! open a database connection... insert some data... run the insert query….
Tango... What is this code even doing?! create a new query… run the new query and return data...
Foxtrot... What is this code even doing?! close all open connections… get us the heck out of here...
Why is the code bad? ● Using PHP short tags ○ Must be enabled in php.ini use sparingly if at all ● No data sanitization ○ Security?! never important ● No data validation ○ who cares! he trusts his users ● Directly saving user input into a database ○ Begging for a little bobby tables incident ● Not using prepared statements ○ PDO - it’s the wave of the future!
How do I safely get form data? Sanitize it!
How do I securely get form data? HTTPS (SSL)
How do I reliably get form data? Validate it!
Assumptions for our examples ● Existing JavaScript validation that input exists. ● You are using a POST or GET method ● You’re using SSL You can find these slides and examples: https://github.com/Svpernova09
Oh PHP, you so easy…. Create our form:
Oh PHP, you so easy…. Add our form processing:
I’m REALLY good at this PHP thing Output when the form has been submitted:
What if .... ...someone clever comes along? ...someone malicious comes along?
Wait a minute…. HOW DID THIS HAPPEN!!!111>>!??
It was all going so beautifully... Where did we go wrong? Line 53: We used the raw input from the user. This leaves us WIDE open to many attacks.
WTF! But PHP is so EASY! The user put JavaScript in our field: Since we just echoed the input, we injected the user’s JavaScript directly into our page:
How do we prevent such attacks? We must go Back... to line 53! htmlentities() = don’t parse as HTML Browser: Source:
Different ways to sanitize data Data Filters ● Validate Filters ○ FILTER_VALIDATE_EMAIL ○ FILTER_VALIDATE_INT ● Sanitize Filters ○ FILTER_SANITIZE_STRING ○ FILTER_SANITIZE_NUMBER_INT ● htmlspecialchars() ● htmlentities()
htmlentities OR htmlspecialchars ? ● htmlspecialchars() will encode only characters that have special significance in HTML ○ Example: ■ echo htmlspecialchars('<Il était une fois un être>.'); ■ // Outputs: &lt;Il était une fois un être&gt;. ● htmlentities() all characters which have HTML character entity equivalents are translated into these entities ○ Example: ■ ■ echo htmlentities('<Il était une fois un être>.'); // Outputs: &lt;Il &eacute;tait une fois un &ecirc;tre&gt; GREAT Explanation: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars
filter_var or html* ? Data Filters are newer than html* functions They are the “better” way. They also depend on newer versions of PHP
But I’m a small shop, & trust users You can’t trust input from ANYONE! ● ● ● ● ● ● ● You Your Parents Your Co Workers Your Boss Your App’s Users Other Apps The Internet
Should I sanitize or validate? BOTH! SANITIZING your data is removing (or encoding) a specific set of characters from your data. VALIDATING your data is making sure the data is in the format you expect to be in.
Sanitizing Data Our new form (Example: 02 - Sanitizing Data)
Sanitizing Data Form Code View (Example: 02 - Sanitizing Data)
Sanitizing Data - Data Entry This is the type of input we want...
Sanitizing Data - Data Entry Make sure no malicious code is in the data... Output:
Sanitizing Data - BETTER way The more modern way: filter_var with flags: Output is the same:
Testing our Data Sanitization
What about check boxes? Let’s add a check box to our form
Sanitize everything! Even check boxes should be sanitized
Validating User Input Our new form (Example: 03 - Validating Data)
Validating User Input Form Code View (Example: 03 - Validating Data)
Validating User Input - Data Entry This is the type of input we want...
Validating Data - Data Entry Make sure the data conforms to expectations
Validating Data - Data Entry Output
Testing Our Validation
Testing Our Validation If we don’t enter an age… if we don’t enter our email...
What do we do with the data? No matter what you do from here… - the hard part is over. Your data is now: ● Validated! ● Sanitized!
Remember that Bad Idea?
Better idea...
Tips ● ALWAYS Sanitize your data. ○ Even if you don’t validate it. ○ Some data is harder to validate than others ● Use JavaScript to enforce requirements ○ JavaScript is great for checking data before it gets submitted. This makes PHP’s job easier ○ Don’t rely on JS to sanitize. Let PHP handle it. ● Offload your PHP processing via Ajax ○ Keeps your code cleaner by separating heavy lifting of data validation out of your form code. ● Show your users where they failed. ○ This also makes your own debugging easier
Tricks - Ajax Form Handling Form Code View (Example: 04 Ajax Form Handling)
Tricks Ajax Form Handling Ajax JavaScript to post the form
Tricks Ajax Form Handling This is the file we’re posting the form data to
Tricks Ajax Form Handling Output This allows you to separate logic away from the file that contains your form.
Tricks - Some tricks won’t last... Issue: Application Form getting spammed. Steps taken: ● We added reCAPTCHA Issue slowed, after some time they continued Further steps: For some reason the spam stopped...
Tricks - Getting Creative Add a question to your form:
Tricks - Getting Creative If the user answers correctly: If the user answers incorrectly:
Better Ideas: CSI:php - csiphp.com CSI:PHP is a great site to see not only bad code, but WHY it’s bad and how to make it better.
Links - Q & A ● ● ● ● MemphisPHP.org phptherightway.com CSIPHP.com Slides & Code Samples: ○ https://github.com/svpernova09 ● htmlentities() or htmlspecialchars()? ○ http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars ● xkcd: http://xkcd.com/

Recommended

Helpful logging with python
Helpful logging with pythonHelpful logging with python
Helpful logging with pythonroskakori
 
25 php interview questions – codementor
25 php interview questions – codementor25 php interview questions – codementor
25 php interview questions – codementorArc & Codementor
 
Javascript
JavascriptJavascript
JavascriptNital Shingala
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
PHP Tutorials
PHP TutorialsPHP Tutorials
PHP TutorialsYuriy Krapivko
 
PHP for HTML Gurus - J and Beyond 2012
PHP for HTML Gurus - J and Beyond 2012PHP for HTML Gurus - J and Beyond 2012
PHP for HTML Gurus - J and Beyond 2012Andrea Tarr
 
Script login form php
Script login form phpScript login form php
Script login form phpHanief Rpl
 
Ns3
Ns3Ns3
Ns3Rehmat Ullah
 

Recommended

Helpful logging with python
Helpful logging with pythonHelpful logging with python
Helpful logging with pythonroskakori
 
25 php interview questions – codementor
25 php interview questions – codementor25 php interview questions – codementor
25 php interview questions – codementorArc & Codementor
 
Javascript
JavascriptJavascript
JavascriptNital Shingala
 
Php Presentation
Php PresentationPhp Presentation
Php PresentationManish Bothra
 
PHP Tutorials
PHP TutorialsPHP Tutorials
PHP TutorialsYuriy Krapivko
 
PHP for HTML Gurus - J and Beyond 2012
PHP for HTML Gurus - J and Beyond 2012PHP for HTML Gurus - J and Beyond 2012
PHP for HTML Gurus - J and Beyond 2012Andrea Tarr
 
Script login form php
Script login form phpScript login form php
Script login form phpHanief Rpl
 
Ns3
Ns3Ns3
Ns3Rehmat Ullah
 
Making web forms using php
Making web forms using phpMaking web forms using php
Making web forms using phpkrishnapriya Tadepalli
 
Php Form
Php FormPhp Form
Php Formlotlot
 
Chapter 02 php basic syntax
Chapter 02 php basic syntaxChapter 02 php basic syntax
Chapter 02 php basic syntaxDhani Ahmad
 
Chapter 07 php forms handling
Chapter 07 php forms handlingChapter 07 php forms handling
Chapter 07 php forms handlingDhani Ahmad
 
ns-3: History and Future
ns-3: History and Futurens-3: History and Future
ns-3: History and Futuremathieu_lacage
 
Network Simulation NS3
Network Simulation NS3Network Simulation NS3
Network Simulation NS3baddi youssef
 
3 php forms
3 php forms3 php forms
3 php formshello8421
 
Arrays &amp; functions in php
Arrays &amp; functions in phpArrays &amp; functions in php
Arrays &amp; functions in phpAshish Chamoli
 
Form Processing In Php
Form Processing In PhpForm Processing In Php
Form Processing In PhpHarit Kothari
 
Creating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemCreating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemAzharul Haque Shohan
 
Php forms
Php formsPhp forms
Php formsAnne Lee
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3Rahul Hada
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesVinayagam D
 
ns-3 Tutorial
ns-3 Tutorialns-3 Tutorial
ns-3 Tutorialmathieu_lacage
 
Php and MySQL
Php and MySQLPhp and MySQL
Php and MySQLTiji Thomas
 
PHP Web Programming
PHP Web ProgrammingPHP Web Programming
PHP Web ProgrammingMuthuselvam RS
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHPJussi Pohjolainen
 
Proper Connections Development for Proper Domino Developers
Proper Connections Development for Proper Domino DevelopersProper Connections Development for Proper Domino Developers
Proper Connections Development for Proper Domino DevelopersMark Myers
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
DEF CON 27 - JOSHUA MADDUX - api induced ssrf
DEF CON 27 - JOSHUA MADDUX - api induced ssrfDEF CON 27 - JOSHUA MADDUX - api induced ssrf
DEF CON 27 - JOSHUA MADDUX - api induced ssrfFelipe Prado
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...DevDay.org
 

More Related Content

Viewers also liked

Php Form
Php FormPhp Form
Php Formlotlot
 
Chapter 02 php basic syntax
Chapter 02 php basic syntaxChapter 02 php basic syntax
Chapter 02 php basic syntaxDhani Ahmad
 
Chapter 07 php forms handling
Chapter 07 php forms handlingChapter 07 php forms handling
Chapter 07 php forms handlingDhani Ahmad
 
ns-3: History and Future
ns-3: History and Futurens-3: History and Future
ns-3: History and Futuremathieu_lacage
 
Network Simulation NS3
Network Simulation NS3Network Simulation NS3
Network Simulation NS3baddi youssef
 
Arrays &amp; functions in php
Arrays &amp; functions in phpArrays &amp; functions in php
Arrays &amp; functions in phpAshish Chamoli
 
Form Processing In Php
Form Processing In PhpForm Processing In Php
Form Processing In PhpHarit Kothari
 
Creating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemCreating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemAzharul Haque Shohan
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3Rahul Hada
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesVinayagam D
 

Viewers also liked (17)

Making web forms using php
Making web forms using phpMaking web forms using php
Making web forms using php
 
Php Form
Php FormPhp Form
Php Form
 
Chapter 02 php basic syntax
Chapter 02 php basic syntaxChapter 02 php basic syntax
Chapter 02 php basic syntax
 
Chapter 07 php forms handling
Chapter 07 php forms handlingChapter 07 php forms handling
Chapter 07 php forms handling
 
ns-3: History and Future
ns-3: History and Futurens-3: History and Future
ns-3: History and Future
 
Network Simulation NS3
Network Simulation NS3Network Simulation NS3
Network Simulation NS3
 
3 php forms
3 php forms3 php forms
3 php forms
 
Arrays &amp; functions in php
Arrays &amp; functions in phpArrays &amp; functions in php
Arrays &amp; functions in php
 
Form Processing In Php
Form Processing In PhpForm Processing In Php
Form Processing In Php
 
Creating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login SystemCreating a Simple PHP and MySQL-Based Login System
Creating a Simple PHP and MySQL-Based Login System
 
Php forms
Php formsPhp forms
Php forms
 
Building Topology in NS3
Building Topology in NS3Building Topology in NS3
Building Topology in NS3
 
Tutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slidesTutorial ns 3-tutorial-slides
Tutorial ns 3-tutorial-slides
 
ns-3 Tutorial
ns-3 Tutorialns-3 Tutorial
ns-3 Tutorial
 
Php and MySQL
Php and MySQLPhp and MySQL
Php and MySQL
 
PHP Web Programming
PHP Web ProgrammingPHP Web Programming
PHP Web Programming
 
Introduction to PHP
Introduction to PHPIntroduction to PHP
Introduction to PHP
 

Similar to Memphis php html form processing with php

Proper Connections Development for Proper Domino Developers
Proper Connections Development for Proper Domino DevelopersProper Connections Development for Proper Domino Developers
Proper Connections Development for Proper Domino DevelopersMark Myers
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
DEF CON 27 - JOSHUA MADDUX - api induced ssrf
DEF CON 27 - JOSHUA MADDUX - api induced ssrfDEF CON 27 - JOSHUA MADDUX - api induced ssrf
DEF CON 27 - JOSHUA MADDUX - api induced ssrfFelipe Prado
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...DevDay.org
 
ASAE Tech: Data Data Everywhere
ASAE Tech: Data Data EverywhereASAE Tech: Data Data Everywhere
ASAE Tech: Data Data Everywheremjgoldsmith
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionYury Chemerkin
 
Building a Beer Recommender with Yhat (PAPIs.io - November 2014)
Building a Beer Recommender with Yhat (PAPIs.io - November 2014)Building a Beer Recommender with Yhat (PAPIs.io - November 2014)
Building a Beer Recommender with Yhat (PAPIs.io - November 2014)Austin Ogilvie
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityMatt Tesauro
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray
 
Data Data Everywhere: Drowning in a Sea of Analytics
Data Data Everywhere: Drowning in a Sea of AnalyticsData Data Everywhere: Drowning in a Sea of Analytics
Data Data Everywhere: Drowning in a Sea of AnalyticsMegan Denhardt
 
Security Best Practices for Bot Builders
Security Best Practices for Bot BuildersSecurity Best Practices for Bot Builders
Security Best Practices for Bot BuildersMax Feldman
 
SenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web Apps
SenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web AppsSenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web Apps
SenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web AppsSencha
 
Test execution
Test executionTest execution
Test executionadarsh j
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
PANIC Project - BRUCon 2012 Presentation
PANIC Project - BRUCon 2012 PresentationPANIC Project - BRUCon 2012 Presentation
PANIC Project - BRUCon 2012 Presentationbiosshadow
 

Similar to Memphis php html form processing with php (20)

Proper Connections Development for Proper Domino Developers
Proper Connections Development for Proper Domino DevelopersProper Connections Development for Proper Domino Developers
Proper Connections Development for Proper Domino Developers
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014
 
DEF CON 27 - JOSHUA MADDUX - api induced ssrf
DEF CON 27 - JOSHUA MADDUX - api induced ssrfDEF CON 27 - JOSHUA MADDUX - api induced ssrf
DEF CON 27 - JOSHUA MADDUX - api induced ssrf
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
[DevDay2018] High quality mindset in software development - By: Phat Vu, Scru...
 
ASAE Tech: Data Data Everywhere
ASAE Tech: Data Data EverywhereASAE Tech: Data Data Everywhere
ASAE Tech: Data Data Everywhere
 
2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE2600 Thailand #50 From 0day to CVE
2600 Thailand #50 From 0day to CVE
 
Abraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permissionAbraham aranguren. legal and efficient web app testing without permission
Abraham aranguren. legal and efficient web app testing without permission
 
Swift meetup22june2015
Swift meetup22june2015Swift meetup22june2015
Swift meetup22june2015
 
Angular
AngularAngular
Angular
 
Building a Beer Recommender with Yhat (PAPIs.io - November 2014)
Building a Beer Recommender with Yhat (PAPIs.io - November 2014)Building a Beer Recommender with Yhat (PAPIs.io - November 2014)
Building a Beer Recommender with Yhat (PAPIs.io - November 2014)
 
Peeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API SecurityPeeling the Onion: Making Sense of the Layers of API Security
Peeling the Onion: Making Sense of the Layers of API Security
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
 
Data Data Everywhere: Drowning in a Sea of Analytics
Data Data Everywhere: Drowning in a Sea of AnalyticsData Data Everywhere: Drowning in a Sea of Analytics
Data Data Everywhere: Drowning in a Sea of Analytics
 
OpenID Connect
OpenID ConnectOpenID Connect
OpenID Connect
 
Security Best Practices for Bot Builders
Security Best Practices for Bot BuildersSecurity Best Practices for Bot Builders
Security Best Practices for Bot Builders
 
SenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web Apps
SenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web AppsSenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web Apps
SenchaCon 2016: Expect the Unexpected - Dealing with Errors in Web Apps
 
Test execution
Test executionTest execution
Test execution
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
PANIC Project - BRUCon 2012 Presentation
PANIC Project - BRUCon 2012 PresentationPANIC Project - BRUCon 2012 Presentation
PANIC Project - BRUCon 2012 Presentation
 

More from Joe Ferguson

Modern infrastructure as code with ansible cake fest 2021
Modern infrastructure as code with ansible cake fest 2021Modern infrastructure as code with ansible cake fest 2021
Modern infrastructure as code with ansible cake fest 2021Joe Ferguson
 
Modern infrastructure as code with ansible PyTN
Modern infrastructure as code with ansible PyTNModern infrastructure as code with ansible PyTN
Modern infrastructure as code with ansible PyTNJoe Ferguson
 
Slim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkSlim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkJoe Ferguson
 
Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Joe Ferguson
 
DevSpace Conf 2017 - Making sense of the provisioning circus
DevSpace Conf 2017 - Making sense of the provisioning circusDevSpace Conf 2017 - Making sense of the provisioning circus
DevSpace Conf 2017 - Making sense of the provisioning circusJoe Ferguson
 
Release and-dependency-management memphis python
Release and-dependency-management memphis pythonRelease and-dependency-management memphis python
Release and-dependency-management memphis pythonJoe Ferguson
 
Composer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementComposer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementJoe Ferguson
 
Put an end to regression with codeception testing
Put an end to regression with codeception testingPut an end to regression with codeception testing
Put an end to regression with codeception testingJoe Ferguson
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamJoe Ferguson
 
All the Laravel Things – Up & Running to Making $$
All the Laravel Things – Up & Running to Making $$All the Laravel Things – Up & Running to Making $$
All the Laravel Things – Up & Running to Making $$Joe Ferguson
 
Console Apps: php artisan forthe:win
Console Apps: php artisan forthe:win Console Apps: php artisan forthe:win
Console Apps: php artisan forthe:win Joe Ferguson
 
Console Apps: php artisan forthe:win
Console Apps: php artisan forthe:winConsole Apps: php artisan forthe:win
Console Apps: php artisan forthe:winJoe Ferguson
 
All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$Joe Ferguson
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016Joe Ferguson
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...Joe Ferguson
 
Laravel Forge: Hello World to Hello Production
Laravel Forge: Hello World to Hello ProductionLaravel Forge: Hello World to Hello Production
Laravel Forge: Hello World to Hello ProductionJoe Ferguson
 
MidwestPHP 2016 - Adventures in Laravel 5
MidwestPHP 2016 - Adventures in Laravel 5 MidwestPHP 2016 - Adventures in Laravel 5
MidwestPHP 2016 - Adventures in Laravel 5 Joe Ferguson
 
Acceptance & Functional Testing with Codeception - SunshinePHP 2016
Acceptance & Functional Testing with Codeception - SunshinePHP 2016Acceptance & Functional Testing with Codeception - SunshinePHP 2016
Acceptance & Functional Testing with Codeception - SunshinePHP 2016Joe Ferguson
 
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
Adventures in Laravel 5 SunshinePHP 2016 TutorialAdventures in Laravel 5 SunshinePHP 2016 Tutorial
Adventures in Laravel 5 SunshinePHP 2016 TutorialJoe Ferguson
 
php[world] 2015 Laravel 5.1: From Homestead to the Cloud
php[world] 2015 Laravel 5.1: From Homestead to the Cloudphp[world] 2015 Laravel 5.1: From Homestead to the Cloud
php[world] 2015 Laravel 5.1: From Homestead to the CloudJoe Ferguson
 

More from Joe Ferguson (20)

Modern infrastructure as code with ansible cake fest 2021
Modern infrastructure as code with ansible cake fest 2021Modern infrastructure as code with ansible cake fest 2021
Modern infrastructure as code with ansible cake fest 2021
 
Modern infrastructure as code with ansible PyTN
Modern infrastructure as code with ansible PyTNModern infrastructure as code with ansible PyTN
Modern infrastructure as code with ansible PyTN
 
Slim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sinkSlim PHP when you don't need the kitchen sink
Slim PHP when you don't need the kitchen sink
 
Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™Throwing Laravel into your Legacy App™
Throwing Laravel into your Legacy App™
 
DevSpace Conf 2017 - Making sense of the provisioning circus
DevSpace Conf 2017 - Making sense of the provisioning circusDevSpace Conf 2017 - Making sense of the provisioning circus
DevSpace Conf 2017 - Making sense of the provisioning circus
 
Release and-dependency-management memphis python
Release and-dependency-management memphis pythonRelease and-dependency-management memphis python
Release and-dependency-management memphis python
 
Composer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency ManagementComposer at Scale, Release and Dependency Management
Composer at Scale, Release and Dependency Management
 
Put an end to regression with codeception testing
Put an end to regression with codeception testingPut an end to regression with codeception testing
Put an end to regression with codeception testing
 
Midwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small teamMidwest PHP 2017 DevOps For Small team
Midwest PHP 2017 DevOps For Small team
 
All the Laravel Things – Up & Running to Making $$
All the Laravel Things – Up & Running to Making $$All the Laravel Things – Up & Running to Making $$
All the Laravel Things – Up & Running to Making $$
 
Console Apps: php artisan forthe:win
Console Apps: php artisan forthe:win Console Apps: php artisan forthe:win
Console Apps: php artisan forthe:win
 
Console Apps: php artisan forthe:win
Console Apps: php artisan forthe:winConsole Apps: php artisan forthe:win
Console Apps: php artisan forthe:win
 
All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$All the Laravel things: up and running to making $$
All the Laravel things: up and running to making $$
 
So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016So You Just Inherited a $Legacy Application… NomadPHP July 2016
So You Just Inherited a $Legacy Application… NomadPHP July 2016
 
So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...So You Just Inherited a $Legacy Application...
So You Just Inherited a $Legacy Application...
 
Laravel Forge: Hello World to Hello Production
Laravel Forge: Hello World to Hello ProductionLaravel Forge: Hello World to Hello Production
Laravel Forge: Hello World to Hello Production
 
MidwestPHP 2016 - Adventures in Laravel 5
MidwestPHP 2016 - Adventures in Laravel 5 MidwestPHP 2016 - Adventures in Laravel 5
MidwestPHP 2016 - Adventures in Laravel 5
 
Acceptance & Functional Testing with Codeception - SunshinePHP 2016
Acceptance & Functional Testing with Codeception - SunshinePHP 2016Acceptance & Functional Testing with Codeception - SunshinePHP 2016
Acceptance & Functional Testing with Codeception - SunshinePHP 2016
 
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
Adventures in Laravel 5 SunshinePHP 2016 TutorialAdventures in Laravel 5 SunshinePHP 2016 Tutorial
Adventures in Laravel 5 SunshinePHP 2016 Tutorial
 
php[world] 2015 Laravel 5.1: From Homestead to the Cloud
php[world] 2015 Laravel 5.1: From Homestead to the Cloudphp[world] 2015 Laravel 5.1: From Homestead to the Cloud
php[world] 2015 Laravel 5.1: From Homestead to the Cloud
 

Recently uploaded

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 

Recently uploaded (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 

Memphis php html form processing with php

  • 1. HTML Form Processing with PHP Tips, Tricks, and Bad Ideas
  • 2. Who is this guy? Joe Ferguson - joe@joeferguson.me Professionally ● Web Developer at RocketFuel ● PHP / LAMP Focused Semi Professional ● Co-Organizer for MemphisPHP.org ● MidsouthMakers - Hackerspace Leader ● HACKmemphis.com Organizer
  • 3. Types of Forms ● ● ● ● ● Login Form Contact Form Questionnaire Sign Up Form Order Form Every application that interacts with the user uses forms in some manner.
  • 4. The Problem (Use Case) I have a PHP Application that needs input: How do I… ● safely ● securely ● reliably ... get that input or other data from my users?
  • 6. Bad Ideas: Code stolen from someone I follow on twitter that was pointing out bad code…
  • 7. Whiskey... What is this code even doing?! open a database connection... insert some data... run the insert query….
  • 8. Tango... What is this code even doing?! create a new query… run the new query and return data...
  • 9. Foxtrot... What is this code even doing?! close all open connections… get us the heck out of here...
  • 10. Why is the code bad? ● Using PHP short tags ○ Must be enabled in php.ini use sparingly if at all ● No data sanitization ○ Security?! never important ● No data validation ○ who cares! he trusts his users ● Directly saving user input into a database ○ Begging for a little bobby tables incident ● Not using prepared statements ○ PDO - it’s the wave of the future!
  • 11. How do I safely get form data? Sanitize it!
  • 12. How do I securely get form data? HTTPS (SSL)
  • 13. How do I reliably get form data? Validate it!
  • 14. Assumptions for our examples ● Existing JavaScript validation that input exists. ● You are using a POST or GET method ● You’re using SSL You can find these slides and examples: https://github.com/Svpernova09
  • 15. Oh PHP, you so easy…. Create our form:
  • 16. Oh PHP, you so easy…. Add our form processing:
  • 17. I’m REALLY good at this PHP thing Output when the form has been submitted:
  • 18. What if .... ...someone clever comes along? ...someone malicious comes along?
  • 19. Wait a minute…. HOW DID THIS HAPPEN!!!111>>!??
  • 20. It was all going so beautifully... Where did we go wrong? Line 53: We used the raw input from the user. This leaves us WIDE open to many attacks.
  • 21. WTF! But PHP is so EASY! The user put JavaScript in our field: Since we just echoed the input, we injected the user’s JavaScript directly into our page:
  • 22. How do we prevent such attacks? We must go Back... to line 53! htmlentities() = don’t parse as HTML Browser: Source:
  • 23. Different ways to sanitize data Data Filters ● Validate Filters ○ FILTER_VALIDATE_EMAIL ○ FILTER_VALIDATE_INT ● Sanitize Filters ○ FILTER_SANITIZE_STRING ○ FILTER_SANITIZE_NUMBER_INT ● htmlspecialchars() ● htmlentities()
  • 24. htmlentities OR htmlspecialchars ? ● htmlspecialchars() will encode only characters that have special significance in HTML ○ Example: ■ echo htmlspecialchars('<Il était une fois un être>.'); ■ // Outputs: &lt;Il était une fois un être&gt;. ● htmlentities() all characters which have HTML character entity equivalents are translated into these entities ○ Example: ■ ■ echo htmlentities('<Il était une fois un être>.'); // Outputs: &lt;Il &eacute;tait une fois un &ecirc;tre&gt; GREAT Explanation: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars
  • 25. filter_var or html* ? Data Filters are newer than html* functions They are the “better” way. They also depend on newer versions of PHP
  • 26. But I’m a small shop, & trust users You can’t trust input from ANYONE! ● ● ● ● ● ● ● You Your Parents Your Co Workers Your Boss Your App’s Users Other Apps The Internet
  • 27. Should I sanitize or validate? BOTH! SANITIZING your data is removing (or encoding) a specific set of characters from your data. VALIDATING your data is making sure the data is in the format you expect to be in.
  • 28. Sanitizing Data Our new form (Example: 02 - Sanitizing Data)
  • 29. Sanitizing Data Form Code View (Example: 02 - Sanitizing Data)
  • 30. Sanitizing Data - Data Entry This is the type of input we want...
  • 31. Sanitizing Data - Data Entry Make sure no malicious code is in the data... Output:
  • 32. Sanitizing Data - BETTER way The more modern way: filter_var with flags: Output is the same:
  • 33. Testing our Data Sanitization
  • 34. What about check boxes? Let’s add a check box to our form
  • 35. Sanitize everything! Even check boxes should be sanitized
  • 36. Validating User Input Our new form (Example: 03 - Validating Data)
  • 37. Validating User Input Form Code View (Example: 03 - Validating Data)
  • 38. Validating User Input - Data Entry This is the type of input we want...
  • 39. Validating Data - Data Entry Make sure the data conforms to expectations
  • 40. Validating Data - Data Entry Output
  • 42. Testing Our Validation If we don’t enter an age… if we don’t enter our email...
  • 43. What do we do with the data? No matter what you do from here… - the hard part is over. Your data is now: ● Validated! ● Sanitized!
  • 46. Tips ● ALWAYS Sanitize your data. ○ Even if you don’t validate it. ○ Some data is harder to validate than others ● Use JavaScript to enforce requirements ○ JavaScript is great for checking data before it gets submitted. This makes PHP’s job easier ○ Don’t rely on JS to sanitize. Let PHP handle it. ● Offload your PHP processing via Ajax ○ Keeps your code cleaner by separating heavy lifting of data validation out of your form code. ● Show your users where they failed. ○ This also makes your own debugging easier
  • 47. Tricks - Ajax Form Handling Form Code View (Example: 04 Ajax Form Handling)
  • 48. Tricks Ajax Form Handling Ajax JavaScript to post the form
  • 49. Tricks Ajax Form Handling This is the file we’re posting the form data to
  • 50. Tricks Ajax Form Handling Output This allows you to separate logic away from the file that contains your form.
  • 51. Tricks - Some tricks won’t last... Issue: Application Form getting spammed. Steps taken: ● We added reCAPTCHA Issue slowed, after some time they continued Further steps: For some reason the spam stopped...
  • 52. Tricks - Getting Creative Add a question to your form:
  • 53. Tricks - Getting Creative If the user answers correctly: If the user answers incorrectly:
  • 54. Better Ideas: CSI:php - csiphp.com CSI:PHP is a great site to see not only bad code, but WHY it’s bad and how to make it better.
  • 55. Links - Q & A ● ● ● ● MemphisPHP.org phptherightway.com CSIPHP.com Slides & Code Samples: ○ https://github.com/svpernova09 ● htmlentities() or htmlspecialchars()? ○ http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars ● xkcd: http://xkcd.com/