Presentation I delivered on 27-MAY-2015 at the Boston PHP meetup (http://www.meetup.com/bostonphp/) for month 5 of the 200 Days of Code (http://200doc.org/) beginner track.

1. Chapters 12, 13, 14
Ryne McCall

2. (a little) Security
Regular expressions
Unicode (maybe)

3. Security

4. Security
spectrum
more
secure
more
usable

5. Security ==
Laziness

6. OWASP top ten
• A1-Injection
• A2-Broken Authentication and Session Management
• A3-Cross-Site Scripting (XSS)
• A4-Insecure Direct Object References
• A5-Security Misconfiguration
• A6-Sensitive Data Exposure
• A7-Missing Function Level Access Control
• A8-Cross-Site Request Forgery (CSRF)
• A9-Using Components with Known Vulnerabilities
• A10-Unvalidated Redirects and Forwards

7. OWASP PHP
cheat sheet [link]

8. Regular expressions

9. Agenda
• What are they?
• Best practices
• Problems

10. History

11. –Larry Wall
“...we saw how everyone borrowed Perl
5 compatible regular expressions, and
we figured - well, you know, they're a
real big mess, and we're sorry, but
we're changing them now, now that
you've just borrowed them.”

12. What are they?

13. PCRE functions• preg_filter — Perform a regular expression search and replace
• preg_grep — Return array entries that match the pattern
• preg_last_error — Returns the error code of the last PCRE regex
execution
• preg_match_all — Perform a global regular expression match
• preg_match — Perform a regular expression match
• preg_quote — Quote regular expression characters
• preg_replace_callback — Perform a regular expression search and
replace using a callback
• preg_replace — Perform a regular expression search and replace
• preg_split — Split string by a regular expression

14. PCRE functions• preg_filter — Perform a regular expression search and replace
• preg_grep — Return array entries that match the pattern
• preg_last_error — Returns the error code of the last PCRE regex
execution
• preg_match_all — Perform a global regular expression match
• preg_match — Perform a regular expression match
• preg_quote — Quote regular expression characters
• preg_replace_callback — Perform a regular expression search and
replace using a callback
• preg_replace — Perform a regular expression search and replace
• preg_split — Split string by a regular expression

15. preg_match
int preg_match (
string $pattern ,
string $subject
[, array &$matches]
)

16. /………/

17. /………/

18. /app/
A. foo
B. bar
C. apple
D. app

19. /app/
A. foo
B. bar
C. apple
D. app

20. /a|b/
A. a
B. b
C. ab
D. x

21. /a|b/
A. a
B. b
C. ab
D. x

22. /a+/
A. a
B. aaa
C. baaab
D. b

23. /a+/
A. a
B. aaa
C. baaab
D. b

24. /a*/
A. a
B. aaa
C. baaab
D. b

25. /a*/
A. a
B. aaa
C. baaab
D. b

26. /^app$/
A. foo
B. bar
C. apple
D. app

27. /^app$/
A. foo
B. bar
C. apple
D. app

28. /^ab?c$/
A. aac
B. abc
C. ac
D. acc

29. /^ab?c$/
A. aac
B. abc
C. ac
D. acc

30. /^a.c$/
A. aac
B. abc
C. ac
D. acc

31. /^a.c$/
A. aac
B. abc
C. ac
D. acc

32. /^(?!(?:(?:x22?x5C[x00-
x7E]x22?)|(?:x22?[^x5Cx22]x22?)){255,})(?!(?:(?:x22?x5C[x00-
x7E]x22?)|(?:x22?[^x5Cx22]x22?)){65,}@)(?:(?:[x21x23-
x27x2Ax2Bx2Dx2F-x39x3Dx3Fx5E-x7E]+)|(?:x2 2(?:[x01-
x08x0Bx0Cx0E-x1Fx21x23-x5Bx5D-x7F]|(?:x5C[x00-
x7F]))*x22))(?:.(?:(?:[x21x23-x27x2Ax2Bx2Dx2F-x39x3Dx3Fx5E-
x7E]+)|(?:x22(?:[x01-x08x0Bx0Cx0E-x1Fx21x23-x5Bx5D-
x7F]|(?:x5C[x00- x7F]))*x22)))*@(?:(?:(?!.*[^.]{64,})(?:(?:(?:xn--)?[a-z0-
9]+(?:-+[a-z0-9]+)*.){1,126}){1,}(?:(?:[a-z][a-z0-9]*)|(?:(?:xn--)[a-z0-9]+))(?:-+[a-z0-
9]+)*)|(?:[(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){7})|(?:(?!(?:.*[a-f0-
9][:]]){7,})(?:[a-f0-9]{1,4}(?: :[a-f0-9]{1,4}){0,5})?::(?:[a-f0-9]{1,4}(?::[a-f0-
9]{1,4}){0,5})?)))|(?:(?:IPv6:(?:(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){5}:)|(?:(?!(?:.*[a-f0-
9]:){5,})(?:[a-f0-9]{1,4}(?::[a-f0-9]{1,4}){0,3})?::(?:[a-f0-9]{1,4}(?::[a-f0-
9]{1,4}){0,3}:)?)))?(?:(?:25[0-5])|(?:2[0-4][0-9 ])|(?:1[0-9]{2})|(?:[1-9]?[0-
9]))(?:.(?:(?:25[0-5])|(?:2[0-4][0-9])|(?:1[0-9]{2})|(?:[1-9]?[0-9]))){3}))]))$/iD

33. /[[:alpha:]]/ or /[A-Za-z]/
A. a
B. b
C. c
D. -

34. /[[:alpha:]]/ or /[A-Za-z]/
A. a
B. b
C. c
D. -

35. /^[[:alpha:]]+d*$/
A. abc123
B. a
C. ~abc123~
D. 123abc

36. /^[[:alpha:]]+d*$/
A. abc123
B. a
C. ~abc123~
D. 123abc

37. /a{2,4}/
A. a
B. aa
C. aaaa
D. b

38. /a{2,4}/
A. a
B. aa
C. aaaa
D. b

39. /^([[:alpha:]]d)+[[:alpha:]]*$/
A. a0
B. a0xyz
C. 0a1b
D. a0b1xyz

40. /^([[:alpha:]]d)+[[:alpha:]]*$/
A. a0
B. a0xyz
C. 0a1b
D. a0b1xyz

41. /(d{3})-(d{3})-(d{4})/

42. Best practices

43. – Jamie Zawinski
“Some people, when
confronted with a problem,
think "I know, I'll use regular
expressions." Now they have
two problems.”

44. /good text/
A. good text; evil text
B. evil text good text
C. good text'; evil text
D. good text

45. /good text/
A. good text; evil text
B. evil text good text
C. good text'; evil text
D. good text

46. phone-number.php

47. Problems

48. Thanks