This is an iterative workshop/tutorial explaining PHP security. It's divided into multiple modules, each of which is a standalone lesson as part of a three-hour workshop documented through [these slides] slides.
Each module is broken into two directories:
/server- The actual PHP server, runnable throughphp -S localhost:8888 -t module-N/server/client- A command line client, also written in PHP, which interacts with the server component.
Composer dependencies are bundled in the repository to make it easier to clone and get started with this project. If for any reason you want to update your dependencies, merely do so with composer update.
The first step is to install Composer dependencies by running composer install in the root directory of the tutorial.
The modules themselves are self-contained and share their dependencies.
Each lesson is built to cover a specific topic regarding PHP security. As such, there are several placeholder @TODOs throughout the code that are meant for you to complete. Each is documented explaining what's expected from you to complete the task.
The lessons are structured into the following modules:
module-1
.envfiles- Flat configuration files
module-2
- Password management
- Password storage
- Password hashing
module-3
- PHP session configuration
module-4
- Input validation
- Output sanitization
module-5
- File encryption
- Database encryption
- Blind indicies