× {{alert.msg}} Never ask again
Receive New Tutorials
GET IT FREE

Q&A With PHP Security Expert Ben Edmunds

– {{showDate(postTime)}}
Codementor PHP Expert and Book Author Ben Edmunds


Codementor PHP Expert Ben Edmunds joined us for Office Hours to share his experience on building secure applications, and he also took the time to answer some of the questions asked by our viewers.

The text below is a summary done by the Codementor team and may vary from the original video and if you see any issues, please let us know!


 

Do You have Any Security Advice for Developing with Laravel?

For the most part, laravel handles most of the security for you. It’s usually pretty transparent—when you save to the database, laravel is going to automatically escape things unless you use straight up queries. If you use the query function, you’re building security by yourself and then you’d have to think about the security issue.

In example, if you’re using blade, you have the double curly to echo out your variables. There’s also the triple curly which will escape output for you when you display them back out. Thus, I’d recommend you’d use triple curlies in your blade views.

Other than that, there is not much I can advise. You have the built in application class in laravel that handles the password hashing and verification for you, and there are several good libraries for passwords, login, and authentication. Their docs might be a little lacking, but the code itself is good and well-maintained.

How to Prevent Forms from Submitting Twice when a User Reloads the Page?

A CSRF token will handle this issue for you. If you have a check on the form, the token will stop the user from submitting twice without reloading the form before, since it will be a one-time use token.

Another way to prevent people from accidentally submitting twice is to simply gray out the button with javascript once the user clicks on it. This method is not for security reasons but rather for user experience, as it will help users understand the page is loading and they won’t have to click again to end up seeing your one-time use token error.

What are Your Thoughts on Security through Obscurity?

I don’t recommend it as a valid security tactic, since you should always be secure without it. However, I also don’t recommend against it, since it can make your life easier for protecting data that’s not super sensitive, but the data still shouldn’t be guessed. For example, if you’re uploading files that are not super sensitive, you still wouldn’t want someone to be able to type in the next integer and see the next file that was uploaded. Ideally, you’d want to have an access control on that where only those who should see the files can see them. A lot of sites will just use some random hash for their ID parameter so others can’t just guess through the data, and although it’s not super secure, people still won’t able to watch the uploading happen live or scrape your site. If a content heavy site merely uses ID integers, it would be super easy to scrape that site.


Other posts in this series with Ben Edmunds:

Ben Edmunds

Need Ben’s help? Book a 1-on-1 session!

or join us as an expert mentor!



Author
Ben Edmunds
Ben Edmunds
active leader, developer, and speaker in various development communities. PHP/JS expert.
Ben Edmunds leads development teams to create cutting-edge web and mobile applications. He is an active leader, developer, and speaker in various development communities, especially the CodeIgniter...
Hire the Author

Questions about this tutorial?  Get Live 1:1 help from PHP experts!
Solomon Kingsley
Solomon Kingsley
4.9
Experienced Software Engineer
I am an experienced full-stack software developer, with years of experience working with HTML5/CSS3. I've built scalable applications that support...
Hire this Expert
Ricardo
Ricardo
5.0
Senior Software Engineer
Software engineer with 13+ years of professional experience. If you have a problem feel free to contact me, I always go above and beyond to try to...
Hire this Expert

Or Become a Codementor!

Live 1:1 help from expert developers

Codementor is your live 1:1 expert mentor helping you in real time.

comments powered by Disqus