The slides from PHP|Tek are now up. The Security Tutorial slides can be found here and the PDO Introduction slides can be found here, to all attending thank you for listening and hopefully at-least a bit of the content was interesting and useful
Nice slides but I thought I'd raise the following points:
* hiding your database connection settings in the environment or php configuration is all for nothing if you manage to inject a phpinfo() statement
* it's probably also work mentioning that you shouldn't leave a style page on a live server, particular on a url like /phpinfo.php
* security by obscurity seems an odd note to end on. Defence in depth yes, but obscurity? Take the "don't use an obvious url for admin function" I think you have to assume admin urls will leak. In fact, it's best to regard any URL a browser will see as something that Google might get wind of and index!
I used to use a large UK ISP, who generated print invoices from a webpage. They included the URL on them. I tried the URL and found that not only was it accessible, I could play around with the parameters and view invoices for other customers and even generate new invoices. I alerted them and closed my account
Well the idea behind obscurity is not to solve security problems, merely delay the hacker by making things different from usual. This is particularly effective against worms and automated tools that look for simularaties and use them to determine problems.
phpinfo() page is a debugging tool so exposing it to the world is not a particular good idea unless it is protected in some way (like http auth for example). So, you are absolutely in that respect, furthermore earlier versions of PHP had a number of XSS issues in this page, so that further adds to its danger.
Can you create PDFs without those background image? Unless there's a way to disable background printing in PDF the printout is very unreadable on b/w and it wastes black color for nothing. thanks!