Q&A With PHP Security Expert Ben Edmunds
Codementor PHP Expert Ben Edmunds joined us for Office Hours to share his experience on building secure applications, and he also took the time to answer some of the questions asked by our viewers.
The text below is a summary done by the Codementor team and may vary from the original video and if you see any issues, please let us know!
Do You have Any Security Advice for Developing with Laravel?
For the most part, laravel handles most of the security for you. It’s usually pretty transparent—when you save to the database, laravel is going to automatically escape things unless you use straight up queries. If you use the query function, you’re building security by yourself and then you’d have to think about the security issue.
In example, if you’re using blade, you have the double curly to echo out your variables. There’s also the triple curly which will escape output for you when you display them back out. Thus, I’d recommend you’d use triple curlies in your blade views.
Other than that, there is not much I can advise. You have the built in application class in laravel that handles the password hashing and verification for you, and there are several good libraries for passwords, login, and authentication. Their docs might be a little lacking, but the code itself is good and well-maintained.
How to Prevent Forms from Submitting Twice when a User Reloads the Page?
A CSRF token will handle this issue for you. If you have a check on the form, the token will stop the user from submitting twice without reloading the form before, since it will be a one-time use token.
What are Your Thoughts on Security through Obscurity?
I don’t recommend it as a valid security tactic, since you should always be secure without it. However, I also don’t recommend against it, since it can make your life easier for protecting data that’s not super sensitive, but the data still shouldn’t be guessed. For example, if you’re uploading files that are not super sensitive, you still wouldn’t want someone to be able to type in the next integer and see the next file that was uploaded. Ideally, you’d want to have an access control on that where only those who should see the files can see them. A lot of sites will just use some random hash for their ID parameter so others can’t just guess through the data, and although it’s not super secure, people still won’t able to watch the uploading happen live or scrape your site. If a content heavy site merely uses ID integers, it would be super easy to scrape that site.
Other posts in this series with Ben Edmunds:
- Tutorial: Building Modern & Secure PHP Applications
- Should PHP developers Also Handle DevOps?
- Tutorial: The Best Way to Store Passwords in a Database
- The Most Common Reason a Hacker Attacks Your PHP Applications
Need Ben’s help? Book a 1-on-1 session!