Conférence PHP Québec 2008

2008-03-14 14:53:00 (ID: 57, Parent: 0, Type: page)
=Liens externes=

* [ Site officiel] de la conférence
* [ Quelques slides]

=Infos supplémentaires=

* Il y a un DVD, sur la conférence de 2004, de disponible dans le bibliothèque

=Jour 1 - Jeudi=
==The age of literate machines==
        - Speaker: Zak Greant
        - High interest, mostly philosophical conference
        - The communcation since the beginning
        - The power of the information
        - scribes, printers, etc
        - Control of the information (book burning, people killing)
        - Publication monopol
        - with Radio and TV people lost the communication power
        - we regaining it with the internet
        - Use openstandards

==Performance-minded MySQL for PHP Developers==
        - Speaker: Jay Pipes (MySQL inc.) 
        - PDF: 

==Help. My web site has been hacked! Now what?==
        - Speaker: Eli White
        - Skills: Software (not hardware or sysadmin)
        - he talk a lot about it in exemples
        -  or—EliW
        - book: PHP 5 in practice
        - Thinking about security
        - 3 stages
            - prevention
            - preparation
            - panic
        - Definition of hacked
            - SQL Injection
            - XSS
            - CSRF (Cross Site...)
            - Session Hikacking
            - Not talking here about: network attacks,
              apache/php/mysql, physicals
        - Sql Injection
            - Validate every entry received by the user
            - User send data that is interpreted by the database
        - XSS
            - User send data that is directly interpreted as HTML (and
              therefore javascript)
        - CSRF
            - Forge or force a request on bejahalf of another user
            - ex: inject an img tag that load an image from another web
        - SessionHijacking
            - session_start()
            - session_regenerate() Upon anychamge of permission
            - if ($_SESSION !=regenerate_secret()
        - Discovery methods
            - whitehat, hacker announce & axploit, user complaints,
              physical demarcation, logs/stats monitoring
            - hints:
                - check for sql statement in apache logs
        - Immediate response
            - Let it live
            - Break functionality
            - shutdown website
        - look around to find everything that have been exploited,
          currupted, so on.
        - lookup hacker announces it could help find the issue
            - view source
            - view generated source
            - scan for all javascript and .js files
            - look for iframes
        - looking logs
            - limit timeframe
            - look for odd or out of sequence events
            - scan for GET parameters that are improper
            - san other fields such as refer and useragent
            - tracks: who, when, ip, refer and more
            - logs all SQL query that fails
                - first attempts will failed
                - malformed SQL are best culprits
                - scan for common XSS terms (script, onclick, onfocus)
            - lookup database for bad data
                - ex: select username from usertable where username
                  like '%onclick%'
        - Obscure Stuff
            - Refer, UserAgent, Cookies, etc
            - htmldecode() after escaping, encoded javascript, etc
            - if there is a change between php/html/database encoding
              (utf, iso, ...) the escaping should not work properly

==Security 2.0==
        - Speaker: Chris Shiflett
        - csrf / xss(cross side scription) / 2.0h
        - Book: Essential php security (O'Reilly)
        - web 1.0 vs web 2.0
            - contextual, user collaboration, services, blogs, tagging
            - taxonomy vs folksonomy
        - XSS
            - attacker -input-> target (you / website) -html-> victim
            - stealing cookies
                - document. =
            - stealing form data
                - document.forms[0].action = '..steal.php';
                - using hidden form in a page, using browser auto-fill
                  form function to steal pw
        - FIEO (Filter input, Escape output)
            - input -filter-> buisness logic -escape-> output
        - CSRF (cross site request forgery)
            - attacker -> victim -> target (you / website)
            - ex: add an  tag requesting an URL to buy something
              while a user is logged
                - could block this by forcing POST request and not
                  accepting GET request
            - ex: using iframe with a form and script
                - script could be;
            - exemples—amazon.php
               they are fixed but are
              good examples
                - script  new
            - Anti-CSRF Token
                - $token = md5(uniqid(rand(),TRUE));
                - $_SESSION['token'] = $token;
                - $html['token']=htmlentities($token), ENT_QUOTES,
                - add input type=hidden name=token value = echo
        - AJAX (Asynchronous JavaScript + XML)
            - Client Side technology/technique that allow twoway
              communication between the client and the server whithout
              reloading the page.
        - Browser hijacking

==PHP For Polyglots - Web applications and i18n==
        - Speaker: Marc Wandschneider 
        - Powerpoint: 
        - Keynote: 
        - UTF-8
        - PHP
            - Utiliser mb_ functions pour un meilleur support de UTF-8 (mb_strlen, mb_substr, etc)
            - Utiliser les array() pour les langues
        - Javascript
            - Utiliser PHP pour dumper les "traductions" en format supporter par Javascript
        - URL
            - Conseille, si possible, de passer la langue de le URL (ex.:
        - En gros, la plupart de ses conseils sont déjà appliqués dans EspaceCanoë
==Rich desktop application==
        - Speaker: Raphaël Rougeron
        - (conférence en français) Communiquer avec lui pour avoir son
          framework REST
        - RIA (Rich Internet Application) / RDA (Rich Desktop
        - RIA
            - Libraries AJAX
            - XUL + CSS + JS
            - Flash/Flex
            - Silverlight (like flash player)
            - Applet Java
        - RDA
            - XulRunner
            - Adobe AIR
            - .NET (WPF)
            - Java Web Start
        - Entre les 2
            - Google Gears : local storage
            - Prism
        - Adobe AIR
            - windows et osx (bientot linux)
            - flash+as ou flex+ax ou html+css+js
            - moteur webkit
            - support audio / video (flash & h264)
            - supporé par jQuery, extjs, dojo, ...
        - XulRunner (XML based User interface Language)
            - moteur gecko
            - XBL : définition de composants d'interface
            - XPCOM: création de composants métiers réutilisables en
              JS, C, C++, Python
            - API JS 
                - manipulation d'images
                - systeme de fichier
                - drag'n drop
            - SongBird, Miro, Joost, webophone, comodo
            - Audio/Video, utilisation d'un composante basé sur VLC
        - RDA Recommandations
            - Indicateurs d'activité (loading...)
            - Gestion des raccourcis claviers
            - Implémenter le copier-coller
            - survol des boutons
            - Adopter le look & feel des applis desktop
        - AIR vs XULRunner
            - Pour s'initier à XUL Runner, faire une extension firefox
              est un bon départ
        - Relations client-serveur
            - Utilisation la plus simple: REST
                - Ressources et URIs
                - GET, POST, PUT, DELETE, HEAD, OPTIONS
                - Code d'états: 200 OK, 201 Created, 400 Bas Request,
                - Représentation des ressources: XML, JSON, Atom, RSS,
                  ical, csv...
                - Penser ressoures plutôt qu'actions
                    - GET /posts : GET /posts
                    - POST /posts/add : POST /posts
                    - GET /posts/get/123 : GET /posts/123
                - Pas de support REST dans Zend (meme ZendRestServer),
                  ni symfony ni cakephp, codelgniter
                - 2 framework rest: Konstruct et tonic
                - propre framework http://
                - Rails 1.2 essai de controlleur restfull
            - Creation de ressources contenant des actions GET, POST,
              PUT, DELETE
                - WADL (wsdl pour le rest)
                - RADAR (Dave Thomas) Rest Application, Dumb-Ass
==PECL: The php language workbench==
        - Sebastian Bergmann
        - PECL: Php Extension C Library
        - php5? pecl? meta programming? aop?
        - PECL has extension that
            - add normal functionality to php
            - add not so normal
                - operator
                - vld (vulcan logic disassembler)
                - parsekit
                - parse tree
                - runkit
                - intercept
        - Operator overloading
            - about each operator like +, -, *, >>, ...
        - disassembler for php bytecode
            - alias vld="php -dvld.execute=0"
            - //could also look at something named "depends"
        - ext/parsekit
            - parsekit_compile_string()
            - parsekit_compile_file()
        - ext/parse_tree
            - //speaking about code sniff
            - usefull for analysis and refactoring of php source code
        - Aspect-oriented programming w php // interlude
            - new modularization concept
                - Quantification
                - Obliviousness
            - aspect, pointcut, around
        - ext/runkit
            - replace, rename and delete classes methods and function
              at runtime
            - define additional super-global variables
            - execute code in a sandbox
            - ex: runkit_method_add(...)
            - Generic Aspects for PHP
        - ext/intercept
            - Intercept function calls
            - execution before and after code is executed

==Introductoin to php 5.3==
        - Llia Alshanetsky
        - Core php developper
        - Adding namespace
            - namespace MY;
            - function MY_wrapper();
            - use MY as MY
            - wrapper()
        - Multiple namespace per file
        - Autoload function
        - Improved performance
            - md5 10-15% better
            - better stack
            - ...
        - Operator ?:
        - __call() équivalent but for static methods
        - late static binding
        - MySQLInd
            - specialized hich speed library to interface with MySQL
            - better performance, improver memory usage, ability to
              fetch stats for perf. tuning, built-in driver, no
              PDO_Mysql Support yet
        - .htaccess style ini controls
            - per-directory ini settings inside php.ini
            - improved config error handling
        - Extra OpenSSL Functions
            - openssl_get_md_methods()
            - openssl_digets()
            - openssl_get_cipher_methods()
            - openssl_encrypt()
            - openssl_decrypt()
            - openssl_pkey_new() / openssl_pkey_get_details()
        - SPL Improvements
            - FilesystemIterator
            - GlobIterator
        - Date Extension additions
            - strtotime via date_Create_From_format('format','date')
            - return and object formatable using
            - date_get_last_errors()
                - warning count
                - àwarnings
                - error_count
                - errors
        - getopt() improvement
            - native implementation
            - cross-platform support
        - XSLT profiling
            - $xslt = new xsltprocessor();
            - $xslt->importStylesheet($xml);
            - $xslt->setProfiling("/tmp/profile.txt");
            - $xslt->transform...
        - E_DEPRECATED
        - Garbage collector
            - gc_enable()
            - var_dump(gc_enabled())
            - var_dump(gc_collect_cycles())
            - gc_disable()
        - Miscellaneous
            - sqllite upgraded 3.5.6
            - 40 bugs fix
            - CGI/FastCGI SAPI Improvement
            - stream improvements

=Jour 2 - Vendredi=
==API Design==
        - David Sklar
        - PHP API - REST API
            - XN_Content exemple
                - $dinner = XN_Content::create('Meal');
                - $dinner->title = 'Salt baked combo';
                - $dinner->save();
                - gives
                - POST /xn/atom/1.0/content
                - Content-Type: text/xml; charset=UTF-8
        - Design priorities
            - promote predictability, modularity, stability
            - choose human performance over computer performance
            - make efficiency easy, make inefficiency hard/impossible
        - At the start
            - write code before tou write the API
            - use cases, use cases, use cases
            - Names matter (but don't discuss them forever)
        - Use the API before it exists
            - sketch out what you want to do
        - Use cases first
            - what does the API need to do (not what it could do)
            - Need-Driven Development
                - adding is easy, removing is hard
                - you have a lots of freedom with arguments
                - accessors provide insulation
        - long parameter list are toxic
        - static n dynamic analysis
            - find + grep
        - XN_Event
            - before and after events.
        - Names
            - at Ning, adding XN means "hands off"
                - class names
                - property names
                - xml namespace prefixes
        - Documentation: docblocks: Yay! and Boo!
            - phpdocumentor, doxygen
        - Avoiding attribute naming conflict between system attr. and
          user attr.
            - content->title and content->my_attrib YES!
            - content->xn_title and content->attrib YES!
            - content[title] and content->attrib NO! (not mixing up
        - Testing and code coverage
            - contract with user id the test suite
            - "The extent of your test suite is the strength of your
              contract with your users"
            - SimpleTest—simple_test.php
               and PHPUnit
        - To keep in mind
            - Lean towards use cases tacher than unconstrained
            - naming, versioning and documentation are not afterthoughts
            - test suite code coverage is all you have to guarantee
              backwards compatibility
        - http:/// 

==Security from the Database Perspective==
        - Morgan Tocker 
        - Security is a process not a product,
        - Some of the problems
            - sql injection
                - The application does not check input data before
                  passing it on to the database
                - magic_quotes
                - mysql_real_escape_string()
                    - integer based injection
                    - multibyte character
                        - in GBK 0xbf27 become garbage+quote in single
                          byte charset.
                - bypass login, change data, send email or exec system
                  cmd, ....
                - .... and I=0 union select database()
                - ... and i=0 union select ....
                - ... or ''=''
            - denial of service
                - execute a long select... that lock database
                - Deep search result
                    - limit to the first N hundreds
                - log the queries (log-slow, log-query, log-query not
                  using indexes)
                - build application that could handle failure of
                  queries and retry
                - email your self alerts by monitoring the SHOW
            - running with higher privileges thant required
                - LOAD DATA LOCAL INFILE feature
                    - potential load in /etc/passwd if running as root
                - SHOW GRANTS
                - SHOW GRANTS for 'morgo'@'hostname'
                - modify mysql.user and FLUSH to update
                  TEMPORARY TABLES ON database.table TO
                  'username'@'host' IDENTIFY BY 'password'
                - avoid wildcard for access
                - connection pooling issues
                    - opened transaction not freed
                    - temporaty rables created not freed
                    - session variables not freed
                    - prepared statements not freed
                - set sql_log_bin=0; delete from..
            - both in operating system and in mysql
            - exposing the database server on 3306
                - see --bind-address= and --skip-networking
                - watch out for potentially expensive reverse lookups
            - Others ideas
                - Intentionally corrupting masters or slaves (proof of
                - delete from users where user_id = 1 and @@server_id=2
                - delete from users where user_id = 1 and @@server_id =
        - Defenses
            - Correctly escape data (mysql_real_escape_String and type
              checking for integers)
            - potentially use prapared statements
            - see mysql_secure_installation
            - set root password
            - remove anonymous users
            - disallow root remote login
            - remove test database and access to it
            - tmp_table_size, max_heap_table_size : use low session
              based buffers values
            - set user limits within users to parts of the application
            - max user connections (max conn per hour, max queries per
            - limit max_join_size to prevent cartesian products
            - sql_mode
            - use md5() or shai() to store password
            - secure/encrypt your backups
            - prepare to change connect(..) pw in case of a leak
            - 32bits hw allow 2.2-2.7G handling and crash after that
            - no on the fly encryption, use AES encrypt/decrypt within
            - using store procedure and/or views
                - adjust permissions to sp or v
                - using that solution, doesn't support debugging or
                  other languages than SQL
            - could check at mysql proxy (new product)
                - overhead select 1
                - performance issues could come on longer statement as
                  they should be completly received before passed to
                  the server
                - could by used to rewrite queries or manipulate them

==RIA With open standards==
        - jeff griffiths, ActiveState
        - RIA is a slippery buzzword
        - showing Desktop application examples
            - songbird
            - joost
        - Why should we care
            - PHP is the cominant back-end application server
            - Even pure back-end application design should pay
              attention to RIA application design
            - RIA is the future or something
        - Components of RIA
            - Server Back-end (php mysql apache)
            - application layer
            - multi-media run-time of some sort
        - Server Side
            - php and similar lead devl.
        - Application Layer
            - XML/HTML ui layer
            - JavaScript/ActionScript scripting layer (js functionnal
              language vs php procedural/object language)
            - Styling / presentation layer
        - Reason to choose web standards
            - graceful degradation instead of a 'please
              download/upgrade flash' link
            - powerful new javascript tools and libraries like extjs,
              yui, jquery
            - great opensource developer tools
            - maintain a consistent code base in one set of
              technologies instead of having to maintain multiple
              front-ends in differents technologies
        - tools for open stantards
            - firebug for firefox
            - IE8 apparently has a firebug clone
            - opensource ide support from aptana and activestate komodo
        - Multi-media
            - common ability for an RIA is to display streaming audio
              and video
            - the ubuquity of the flash runtime in mainstream browsers
              makes it the default, and currently most pragmatic choice
            - The plugin problem
                - Multimedia on the web is a hack; it is netscape's
                  fault for not implementing audio/video native from
                  the beginning.
                - Finally, the mere benifit of audio/video handling is
                  not a sufficient reason to encapsulate your
                  application inside a black box runtime.  Yet audio
                  and video streaming are the main use of Flash on the
                - challenges
                    - flash and flex has a great story currently for
                      mainstream browser support
                    - The iphone thing
                        - Steve jobs told that flash is too slow for
                          the iphone
                        - essentially eliminates a pure flash solution
                          for manu mobile users
                        - the iphone user base is a disporportionately
                          important market
                    - Macromedia/adobe has been able to fatten flash
                      for years thanks to Moore'S law
                    - moore's law does not applu to mobile devices
                    - flash will have to get faster, not more complex
                    - youyube doesn't use animation features anyway
            - alternatives
                - HTML5 spec introduces the