WEBVTT 1 00:00:00.040 --> 00:00:03.680 All right, everyone get ready because today we are going 2 00:00:03.759 --> 00:00:06.719 deep on secure PHP applications. 3 00:00:06.839 --> 00:00:08.439 Oh yeah, this is going to be fair. 4 00:00:08.480 --> 00:00:10.679 We've got a ton of resources to pull from, we do. 5 00:00:11.480 --> 00:00:13.359 But I think the highlight is going to be this 6 00:00:13.480 --> 00:00:16.719 excerpt from a book, Oh for Sure, by Mohammed Jacobeir. 7 00:00:16.839 --> 00:00:19.280 He's great who is not only a developer but also 8 00:00:19.320 --> 00:00:20.160 a security expert. 9 00:00:20.280 --> 00:00:22.239 Yeah, he approaches it from both sides. 10 00:00:22.000 --> 00:00:24.039 Exactly, and I think that's what's so interesting about his 11 00:00:24.120 --> 00:00:27.440 perspective on this. Absolutely, And in the preface he makes 12 00:00:27.480 --> 00:00:30.199 it pretty clear that this book is for developers who 13 00:00:30.239 --> 00:00:32.840 are ready to seriously step up their game. 14 00:00:32.960 --> 00:00:34.880 Yeah, you really got to be ready to dive in. 15 00:00:35.079 --> 00:00:35.240 Right. 16 00:00:35.359 --> 00:00:36.399 It's not for beginners. 17 00:00:36.520 --> 00:00:38.640 No, this is not PHP one on one, definitely not. 18 00:00:39.079 --> 00:00:42.399 But you know what, even if you're not a hardcore coder, Yeah, 19 00:00:42.439 --> 00:00:44.439 I think there's a lot to learn here, for sure 20 00:00:44.479 --> 00:00:47.359 about just the mindset of software security. 21 00:00:47.600 --> 00:00:48.359 Absolutely. 22 00:00:48.640 --> 00:00:50.560 So what really jumped out at you for the preface? 23 00:00:51.000 --> 00:00:53.560 You know what I thought was interesting? What's that he 24 00:00:53.600 --> 00:00:56.560 doesn't waste any time? Oh yeah, he goes straight into 25 00:00:56.600 --> 00:00:59.079 the risks, no sugarcoating. 26 00:00:58.520 --> 00:01:01.200 No, he's like, look, there threats out there. 27 00:01:01.039 --> 00:01:03.359 Here, They are. Let's get real right into it. Yeah, 28 00:01:03.399 --> 00:01:05.680 So to illustrate this, he brings up this example script. 29 00:01:05.719 --> 00:01:09.799 Oh yeah, called bad Who's dot php ye, And it's, 30 00:01:09.840 --> 00:01:12.439 you know, on the surface, it seems like harmless enough. 31 00:01:12.640 --> 00:01:15.040 It's for looking up domain information. 32 00:01:14.760 --> 00:01:16.840 Right exactly, that's what it sounds like. 33 00:01:16.920 --> 00:01:20.040 But then he shows how a hacker, Oh yeah, this 34 00:01:20.159 --> 00:01:23.280 is the good part could actually use this script to 35 00:01:23.560 --> 00:01:25.959 access sensitive system files. 36 00:01:26.680 --> 00:01:28.079 Yeah, if you're not careful, if. 37 00:01:28.040 --> 00:01:30.359 The input isn't validated properly. 38 00:01:30.079 --> 00:01:31.760 If you don't check who's at the door. 39 00:01:31.920 --> 00:01:32.920 That's a great analogy. 40 00:01:32.959 --> 00:01:35.840 It's like a bouncer at a club just letting anyone in, 41 00:01:36.599 --> 00:01:38.799 not even checking IDs. You can't do that. 42 00:01:38.959 --> 00:01:39.719 Big problem. 43 00:01:39.840 --> 00:01:40.120 Huge. 44 00:01:40.519 --> 00:01:44.159 So the book really emphasizes this concept of input validation. 45 00:01:44.599 --> 00:01:47.439 Oh it's so important, and you know, it gets into 46 00:01:47.480 --> 00:01:52.280 the nitty gritty of using functions like is numeric. 47 00:01:52.280 --> 00:01:54.560 Is in to check if it's really a number. 48 00:01:54.439 --> 00:01:56.640 Making sure that the data is what it claims to be. 49 00:01:56.920 --> 00:01:59.040 And it goes even further. Yeah, it shows how to 50 00:01:59.079 --> 00:02:03.840 create like custom functions. Oh wow, for specific types of data, 51 00:02:04.079 --> 00:02:05.400 what like email addresses? 52 00:02:05.519 --> 00:02:09.719 Oh right, so you can zip code validate that. That's cool. 53 00:02:09.759 --> 00:02:13.360 So you're not just limited to these built in PHP functions, right. 54 00:02:13.240 --> 00:02:16.000 You can really tailor it to your needs exactly right, 55 00:02:16.000 --> 00:02:16.479 It's smart. 56 00:02:16.520 --> 00:02:18.520 And then they take it another step further. Hey, do 57 00:02:18.599 --> 00:02:23.560 they introduce this data validator class okay, which basically streamlines 58 00:02:23.639 --> 00:02:26.080 the process of validating multiple fields. 59 00:02:26.120 --> 00:02:27.680 Oh wow, so you don't have to do it all 60 00:02:27.800 --> 00:02:29.120 all at once. Individual. 61 00:02:29.360 --> 00:02:31.319 It's like having a whole team of bouncers. I like 62 00:02:31.360 --> 00:02:34.840 that analogy, each with their own expertise, checking IDs, looking 63 00:02:34.840 --> 00:02:36.280 for fake names, whatever it might be. 64 00:02:36.479 --> 00:02:37.240 Got the whole team. 65 00:02:37.280 --> 00:02:38.240 You've got a whole system. 66 00:02:38.360 --> 00:02:39.159 Yeah, that's cool. 67 00:02:39.319 --> 00:02:43.560 So we've talked about the dangers of bad input, right, 68 00:02:44.159 --> 00:02:48.280 but how do we actually write secure code? 69 00:02:48.479 --> 00:02:49.479 That's the big question? 70 00:02:49.759 --> 00:02:52.520 Right? And so Kabir dies into a whole section on 71 00:02:52.599 --> 00:02:55.039 best practices, and one that really stood out to me 72 00:02:55.520 --> 00:02:59.479 was the emphasis on using meaningful names. 73 00:02:59.680 --> 00:03:00.639 For your variables. 74 00:03:00.960 --> 00:03:03.960 Yes, for variables and functions. Yeah, and I know this 75 00:03:04.120 --> 00:03:07.319 might seem kind of basic. It does, but it's actually 76 00:03:07.360 --> 00:03:11.159 really crucial for reability yeah and surprisingly security. 77 00:03:11.479 --> 00:03:12.840 Really why is that? 78 00:03:13.000 --> 00:03:16.000 Well, think about it, Okay, if you have a variable 79 00:03:16.080 --> 00:03:17.479 name six dollars. 80 00:03:17.199 --> 00:03:18.560 Yeah, just six dollars, you have. 81 00:03:18.520 --> 00:03:21.319 No idea what it represents, right, it could be anything, 82 00:03:21.639 --> 00:03:22.840 and that can lead to errors. 83 00:03:23.080 --> 00:03:26.120 Oh yeah, you can mix things up big time for sure. 84 00:03:26.199 --> 00:03:29.120 It's like, imagine you're in the kitchen. Okay, you're cooking. 85 00:03:29.199 --> 00:03:31.479 I love to cook, and all your spices are just 86 00:03:31.520 --> 00:03:35.520 in unlabeled jars. Oh no, you don't know what's what. 87 00:03:35.800 --> 00:03:37.280 You're gonna mess up the recipe. 88 00:03:37.319 --> 00:03:39.960 You gotta put cayenne pepper in your cookies instead of cinnamon. 89 00:03:40.039 --> 00:03:42.719 Oh that would be bad, not good, not good at all. 90 00:03:43.000 --> 00:03:46.639 So the book really emphasizes using clear variable names, right 91 00:03:46.840 --> 00:03:50.560 like template dr oh so instantly, No, yeah, what it is, 92 00:03:50.599 --> 00:03:52.639 that's what that variable hole. It makes sense, and it 93 00:03:52.639 --> 00:03:56.120 takes it a step further recommending all caps for constants. 94 00:03:56.360 --> 00:03:58.120 Oh interesting, I haven't seen that before. 95 00:03:58.240 --> 00:04:01.360 It's a nice visual cue. So it's like it helps 96 00:04:01.360 --> 00:04:03.080 you just distinguish. 97 00:04:02.560 --> 00:04:04.039 Them from regular variables. 98 00:04:04.319 --> 00:04:07.240 Right, So if you see templa diers all caps, you know, 99 00:04:07.879 --> 00:04:10.319 you know it's going to point to the same location throughout. 100 00:04:10.080 --> 00:04:10.919 The whole application. 101 00:04:11.199 --> 00:04:13.719 Yeah, that's smart. So far, so good. 102 00:04:13.800 --> 00:04:14.520 Yeah, this is great. 103 00:04:14.560 --> 00:04:16.639 We've covered a lot of ground we have. But I 104 00:04:16.639 --> 00:04:19.680 think what's really cool is that Kabir goes beyond just 105 00:04:19.800 --> 00:04:23.079 individual scripts. Oh yeah, he actually shows you how to 106 00:04:23.120 --> 00:04:27.040 build entire secure intranet applications. 107 00:04:27.120 --> 00:04:28.279 That's a big step up. 108 00:04:28.360 --> 00:04:31.199 It is. It's like he's giving you a blueprint. 109 00:04:31.000 --> 00:04:35.360 Like architectural plans. Yes, exactly, secure internal tools. 110 00:04:35.399 --> 00:04:39.560 So he introduces this concept of an application framework, which 111 00:04:39.560 --> 00:04:43.399 is essentially a set of reusable classes and functions, so 112 00:04:43.439 --> 00:04:45.360 you don't have to start from scratch exactly. 113 00:04:45.399 --> 00:04:47.920 It's like prefabricated building block. 114 00:04:47.920 --> 00:04:49.519 But designed with security in mind. 115 00:04:49.560 --> 00:04:51.480 Oh that's cool. So they're already secure. 116 00:04:51.600 --> 00:04:53.720 They're built to be secure come the ground up. Yeah, 117 00:04:53.720 --> 00:04:55.720 so you're not having to reinvent the wheel every time. 118 00:04:55.800 --> 00:04:56.399 That makes sense. 119 00:04:56.439 --> 00:04:58.959 You can just use these secure components, right and focus 120 00:04:59.000 --> 00:05:00.519 on the specific function you need. 121 00:05:00.600 --> 00:05:01.480 Okay, that makes sense. 122 00:05:01.680 --> 00:05:04.519 And the way this framework is structured is really interesting. 123 00:05:04.759 --> 00:05:05.120 Oh. 124 00:05:05.319 --> 00:05:07.680 How so it's got this logical layered approach. 125 00:05:07.879 --> 00:05:10.199 Oh, like layers of an onion kind of like that. 126 00:05:10.439 --> 00:05:12.800 Yeah. So you've got the presentation layer. 127 00:05:12.600 --> 00:05:14.279 Like the user sees exactly. 128 00:05:14.839 --> 00:05:18.560 Then you've got the application layer, the brains that's where 129 00:05:18.600 --> 00:05:19.639 all the logic happens. 130 00:05:19.720 --> 00:05:21.160 The logic, okay, and then. 131 00:05:21.040 --> 00:05:24.279 You've got the database layer where the data lives exactly 132 00:05:24.319 --> 00:05:25.759 interacting with the data store. 133 00:05:25.800 --> 00:05:28.680 Okay, So it's all very very organized, organ like a 134 00:05:28.680 --> 00:05:31.720 well run kitchen like that, where everything has its place. 135 00:05:31.560 --> 00:05:35.040 Everything has its place. But it's not just about being tidy. No. 136 00:05:35.519 --> 00:05:41.199 This framework also has some really robust security features built in. Oh, 137 00:05:41.319 --> 00:05:45.399 like what for example, authentication and authorization, those are important 138 00:05:45.439 --> 00:05:46.199 are centralized. 139 00:05:46.319 --> 00:05:46.600 Okay. 140 00:05:47.120 --> 00:05:51.279 So instead of each tool managing its own users and permissions, 141 00:05:52.199 --> 00:05:54.279 it's all handled in one secure place. 142 00:05:54.399 --> 00:05:54.680 Oh. 143 00:05:54.959 --> 00:05:57.360 It's like having one main entrance for the whole building, 144 00:05:57.439 --> 00:05:57.639 for the. 145 00:05:57.600 --> 00:05:59.480 Whole building a super secure lock. 146 00:05:59.720 --> 00:06:02.079 Yes, instead of having multiple doors. 147 00:06:02.160 --> 00:06:04.720 That each need their own security system exactly. 148 00:06:04.800 --> 00:06:08.279 Okay, that makes sense, much more efficient and secure and secure. Yeah. 149 00:06:08.360 --> 00:06:12.199 They've also got this powerful error handler built in. What 150 00:06:12.360 --> 00:06:17.600 is that too, which not only logs errors for debugging. Oh, 151 00:06:17.600 --> 00:06:21.959 that's helpful, but it also supports internationalization. Okay, so error 152 00:06:21.959 --> 00:06:24.079 messages can be displayed in different languages. 153 00:06:24.160 --> 00:06:25.319 Oh wow, that's useful. 154 00:06:25.439 --> 00:06:27.399 Yeah, depending on the user's preferences. 155 00:06:27.439 --> 00:06:28.279 That's a nice touch. 156 00:06:28.480 --> 00:06:30.759 Makes things a lot easier, it does. And what I 157 00:06:30.800 --> 00:06:33.759 really love is that they don't just leave you hanging 158 00:06:33.839 --> 00:06:37.600 with this framework, so they give you actually provide concrete 159 00:06:37.600 --> 00:06:40.160 example of how to use it, of how to use 160 00:06:40.240 --> 00:06:43.519 this framework to build real Internet applications. 161 00:06:43.519 --> 00:06:44.480 Oh, that's so cool. 162 00:06:44.639 --> 00:06:47.439 Yeah. So they've got like a central authentication system, a 163 00:06:47.560 --> 00:06:51.959 user management system, right, a document publisher, wow, a contact manager. 164 00:06:52.120 --> 00:06:53.360 These are all things you'd. 165 00:06:53.199 --> 00:06:57.000 Need, even a calendar manager for real intranet. Yeah, and 166 00:06:57.040 --> 00:07:01.560 it's just amazing to see these real world applications come together. Yeah, 167 00:07:01.639 --> 00:07:03.839 with such a strong focus on security. 168 00:07:04.040 --> 00:07:05.920 That's cool. I like that a lot. And you know, 169 00:07:05.959 --> 00:07:09.600 it's really cool. What's that the security focus? Yeah, it 170 00:07:09.639 --> 00:07:12.319 doesn't stop at the Internet, really. The book goes on 171 00:07:12.439 --> 00:07:15.160 to explore a whole range of other applications. Wait, what 172 00:07:15.279 --> 00:07:16.160 email marketing? 173 00:07:16.399 --> 00:07:18.399 Oh wow, surveys okay. 174 00:07:18.079 --> 00:07:22.000 Command line utilities interesting, even virtual host management. 175 00:07:22.199 --> 00:07:24.800 Yeah. He's really showing us that no matter what you're 176 00:07:24.800 --> 00:07:28.480 building with PHP, security should always be top of mind. 177 00:07:28.600 --> 00:07:31.240 It's like a golden thread running through the whole book. 178 00:07:31.399 --> 00:07:35.720 Absolutely. So, which of these applications really stead out to you? 179 00:07:35.720 --> 00:07:38.040 You know? One that I thought was really interesting was 180 00:07:38.120 --> 00:07:39.319 the telefriends system. 181 00:07:39.560 --> 00:07:40.639 Oh yeah, that's a classic. 182 00:07:41.040 --> 00:07:43.399 It's like a staple on so many websites. 183 00:07:43.480 --> 00:07:44.480 Yeah, you see it everywhere. 184 00:07:44.600 --> 00:07:48.600 But the way Kaber incorporates a scoring mechanism to prevent abuse. 185 00:07:48.920 --> 00:07:49.720 Oh, that's smart. 186 00:07:49.800 --> 00:07:50.720 It's really clever. 187 00:07:51.040 --> 00:07:52.040 Yeah, how does that work? 188 00:07:52.360 --> 00:07:57.439 So basically it encourages sharing, but it also stops spammers. 189 00:07:57.199 --> 00:07:59.600 In their tracks, so you can't just you. 190 00:07:59.560 --> 00:08:03.000 Can't just blasted out to everyone. You have to actually 191 00:08:03.000 --> 00:08:03.839 be selective. 192 00:08:04.000 --> 00:08:04.480 That's cool. 193 00:08:04.639 --> 00:08:06.279 Yeah, I thought it was a really neat way to 194 00:08:06.360 --> 00:08:09.519 add a layer of security to a common feature that's 195 00:08:09.519 --> 00:08:10.040 like a game. 196 00:08:10.399 --> 00:08:14.079 Yeah, kind of, but with real world security implications exactly. 197 00:08:14.279 --> 00:08:14.839 I like it. 198 00:08:14.959 --> 00:08:17.160 What about email campaigns. 199 00:08:16.839 --> 00:08:18.360 Oh yeah, those are. 200 00:08:18.199 --> 00:08:20.600 Tricky, they can be from a security perspective. 201 00:08:20.920 --> 00:08:23.319 Yeah, because you're dealing with so much sensitive. 202 00:08:22.920 --> 00:08:24.560 Data, right exactly. 203 00:08:24.199 --> 00:08:26.000 And you don't want that getting into the wrong hands. 204 00:08:26.040 --> 00:08:29.199 Absolutely. And the book goes into detail about building an 205 00:08:29.199 --> 00:08:33.799 email system. Okay, that allows for personalized mass emails. 206 00:08:34.360 --> 00:08:37.320 So you can still target specific groups, right, but you're 207 00:08:37.360 --> 00:08:39.000 doing it securely exactly. 208 00:08:39.159 --> 00:08:41.240 And it also covers tracking responses. 209 00:08:41.600 --> 00:08:42.679 Well that's important, so. 210 00:08:42.639 --> 00:08:45.159 You can see who's opening your emails, who's clicking on links, but. 211 00:08:45.240 --> 00:08:46.960 All while making sure that the data. 212 00:08:46.759 --> 00:08:49.679 Is protected absolutely, that's paramount. 213 00:08:49.120 --> 00:08:51.799 And that the system can't be hijacked for spam. 214 00:08:51.639 --> 00:08:54.440 Right, because that's a huge problem, huge problem. Yeah, you 215 00:08:54.440 --> 00:08:56.759 don't want your system being used to send out junk mail. 216 00:08:57.159 --> 00:08:59.960 No one wants that. No. Okay, so we've talked about 217 00:09:00.000 --> 00:09:03.080 I have applications, but what about command line stuff? 218 00:09:03.240 --> 00:09:06.799 Oh yeah, that's a whole other world, it is. 219 00:09:07.240 --> 00:09:10.600 And to be honest, it always seems a bit intimidating. 220 00:09:10.879 --> 00:09:11.440 I know what you mean. 221 00:09:11.600 --> 00:09:14.360 To non developers, it can be a bit cryptic. Yeah, 222 00:09:14.399 --> 00:09:15.679 all those commands and things. 223 00:09:15.720 --> 00:09:19.240 But Kabeer makes it seem really approachable. Really yeah. He 224 00:09:19.240 --> 00:09:20.399 breaks it down really well. 225 00:09:20.480 --> 00:09:23.120 So what kind of command line applications does he cover? Well? 226 00:09:23.200 --> 00:09:25.840 One example he gives is a command line reminder tool. 227 00:09:25.960 --> 00:09:26.679 Oh that's cool. 228 00:09:26.919 --> 00:09:28.480 Yeah, it's like having a personal. 229 00:09:28.200 --> 00:09:30.679 Assistant that lives on the command line exactly. 230 00:09:30.720 --> 00:09:34.200 And it can send you notifications for appointments or deadlines. 231 00:09:34.879 --> 00:09:37.799 So it's like a to do list but on steroids exactly. 232 00:09:37.919 --> 00:09:38.399 I like it. 233 00:09:38.519 --> 00:09:40.919 And he also covers virtual host management. 234 00:09:41.879 --> 00:09:43.639 Oh wow, that's getting pretty advanced. 235 00:09:43.840 --> 00:09:45.639 It is, but it's something that a lot of system 236 00:09:45.679 --> 00:09:47.320 administrators have to deal with. 237 00:09:47.559 --> 00:09:50.639 Yeah, setting up and managing all those virtual hosts exactly. 238 00:09:50.679 --> 00:09:53.840 And Kaber actually provides a tool a tool, Yeah. He 239 00:09:53.919 --> 00:09:58.960 calls it the Apache Virtual Hostmaker, and it helps automate 240 00:09:58.960 --> 00:09:59.559 the process. 241 00:09:59.639 --> 00:10:02.600 Oh so it makes it easier. That's easier and more secure. 242 00:10:02.840 --> 00:10:05.600 Hopefully that's the goal. You know. It's amazing we've covered 243 00:10:05.720 --> 00:10:06.399 so much. 244 00:10:06.679 --> 00:10:08.720 We really have actual. 245 00:10:08.279 --> 00:10:13.120 Code examples to like these big picture application frameworks. 246 00:10:12.440 --> 00:10:13.840 The whole spectrum. 247 00:10:13.879 --> 00:10:16.279 But I think what's really cool about this book is 248 00:10:16.320 --> 00:10:19.279 that that it doesn't just tell you what to do, right, 249 00:10:19.360 --> 00:10:23.000 It explains the why, Yeah, the reasoning yeah, behind secure 250 00:10:23.039 --> 00:10:26.919 PHP development. It's not just a cookbook, more like a philosophy. 251 00:10:27.000 --> 00:10:28.200 Yeah, like a way of thinking. 252 00:10:28.360 --> 00:10:30.159 And I think that's what makes it so valuable. 253 00:10:30.240 --> 00:10:31.960 Oh, absolutely, because Kaber is not. 254 00:10:32.000 --> 00:10:35.080 Just giving you a set of rules to follow blindly. 255 00:10:35.399 --> 00:10:37.279 He's helping you understand the principles. 256 00:10:37.360 --> 00:10:39.399 Yeah, the underlying principle. 257 00:10:39.039 --> 00:10:41.919 So you can make informed decisions in your own projects, 258 00:10:41.919 --> 00:10:42.679 in your own work. 259 00:10:42.879 --> 00:10:43.759 Yeah, that's key. 260 00:10:43.879 --> 00:10:45.720 It's like he's not just teaching you to fish. 261 00:10:45.960 --> 00:10:47.600 He's teaching you to think. 262 00:10:47.440 --> 00:10:50.320 Like a fish, or maybe like a fisherman. 263 00:10:50.000 --> 00:10:51.879 A fisherman who's also a security expert. 264 00:10:52.159 --> 00:10:53.759 Yeah, a very specialized fisherman. 265 00:10:53.840 --> 00:10:55.919 Yeah exactly, But you get the point I do. 266 00:10:56.039 --> 00:10:58.080 It's about developing that security mindset. 267 00:10:58.200 --> 00:11:01.080 It's a way of life, it really is for a developer. 268 00:11:00.720 --> 00:11:04.879 And I think that's a key takeaway. Yeah, for any developer. 269 00:11:04.440 --> 00:11:08.240 Really, whether you're just starting out, regardless of experience, or 270 00:11:08.840 --> 00:11:10.679 you've been doing this for years. 271 00:11:10.600 --> 00:11:12.240 That security first approach. 272 00:11:12.440 --> 00:11:13.159 It's essential. 273 00:11:13.279 --> 00:11:16.759 It's essential. It's got to be baked in from the beginning, 274 00:11:16.840 --> 00:11:17.600 from day one. 275 00:11:17.799 --> 00:11:18.480 Absolutely. 276 00:11:19.240 --> 00:11:21.039 And this makes me think about something else that the 277 00:11:21.039 --> 00:11:24.399 book touches on. Oh what's that speed optimization? 278 00:11:24.559 --> 00:11:28.159 Oh yeah, that's a whole other can of worms. It is, 279 00:11:28.440 --> 00:11:30.240 but it's important, it's important. 280 00:11:30.399 --> 00:11:33.039 But how do you balance that? That's the question, the 281 00:11:33.080 --> 00:11:37.840 need for security with the desire for fast responsive applications. 282 00:11:37.840 --> 00:11:39.799 If you want both, you want it all right. 283 00:11:39.960 --> 00:11:43.759 But sometimes it feels like those two things are odds. Yeah, 284 00:11:43.799 --> 00:11:45.559 like they're pulling in opposite directions. 285 00:11:46.200 --> 00:11:49.480 You know. Sometimes adding those extra layers of security it 286 00:11:49.519 --> 00:11:51.639 can slow things down a bit, a little bit. 287 00:11:51.840 --> 00:11:54.399 Yeah, So how do you find that sweet spot? 288 00:11:55.200 --> 00:11:56.960 That's the million dollar question. 289 00:11:56.960 --> 00:12:00.440 Right where it's both secure and fasts. 290 00:12:00.480 --> 00:12:01.919 Well, it's a balancing act. 291 00:12:01.799 --> 00:12:02.399 It really is. 292 00:12:02.519 --> 00:12:03.240 It's a trade off. 293 00:12:03.320 --> 00:12:07.039 So in some cases, security might be the top priority, absolutely, 294 00:12:07.960 --> 00:12:11.440 even if it means sacrifice it giving up a little 295 00:12:11.440 --> 00:12:12.720 bit of performance. 296 00:12:12.240 --> 00:12:13.559 A little bit of speed. 297 00:12:13.720 --> 00:12:16.600 Yeah, Like if you're dealing with highly sensitive data. 298 00:12:17.840 --> 00:12:20.159 Oh yeah, like financial. 299 00:12:19.600 --> 00:12:21.159 Wreck, medical information. 300 00:12:21.320 --> 00:12:22.600 You don't want to mess around with that. 301 00:12:23.559 --> 00:12:27.120 Did. Security trumps everything absolutely, But in other situations, yeah, 302 00:12:27.200 --> 00:12:28.600 speed might be more critical. 303 00:12:28.679 --> 00:12:31.720 It might be, right, Like think about a real time application. Yeah, 304 00:12:31.919 --> 00:12:36.000 like a stock trading platform or a multiplayer game. 305 00:12:35.840 --> 00:12:38.000 Where every millisecond counts exactly. 306 00:12:38.200 --> 00:12:39.639 You can't afford to have any lag. 307 00:12:40.200 --> 00:12:44.600 Any delay could be costly, yeah, or disrupt the whole experience. 308 00:12:44.120 --> 00:12:45.440 The whole user experience. 309 00:12:45.480 --> 00:12:47.720 So you've got to be more creative you do in 310 00:12:47.799 --> 00:12:50.200 finding ways to optimize security. 311 00:12:49.879 --> 00:12:52.200 Without sacrificing too much performance. 312 00:12:52.360 --> 00:12:52.480 Right. 313 00:12:53.000 --> 00:12:54.360 It's a tough challenge, it is. 314 00:12:54.440 --> 00:12:55.879 It's like choosing a sports. 315 00:12:55.679 --> 00:12:58.240 Car and a tank. Yeah, both have their advantages. 316 00:12:58.320 --> 00:13:00.519 You want to get there fast, you do, but you 317 00:13:00.559 --> 00:13:03.080 also want to be safe exactly. 318 00:13:03.639 --> 00:13:05.000 But you can't always have both. 319 00:13:05.279 --> 00:13:06.080 You can't have it all. 320 00:13:06.360 --> 00:13:07.759 Sometimes you have to make a choice. 321 00:13:07.799 --> 00:13:10.360 And that's why it's so important for developers and understanding 322 00:13:10.480 --> 00:13:14.200 really understands both sides, both security and performance. 323 00:13:14.360 --> 00:13:17.120 Right. You have to be able to assess the risks. 324 00:13:17.440 --> 00:13:20.039 Yeah, make those tough decisions. I find the right balance 325 00:13:20.080 --> 00:13:22.320 for your specific application exactly. 326 00:13:22.360 --> 00:13:24.480 There's no one size fits all solution. 327 00:13:25.200 --> 00:13:27.039 So if you're listening to this and you're thinking, oh 328 00:13:27.080 --> 00:13:31.000 my god, this is complex, this is overwhelming, it'll be intimidated. 329 00:13:31.120 --> 00:13:32.600 Yeah, don't pair it, because take. 330 00:13:32.440 --> 00:13:34.759 It one step at a time, one step at a time. 331 00:13:34.919 --> 00:13:37.960 You know, start by incorporating some of those basic principles 332 00:13:38.120 --> 00:13:42.919 like what validating your inputs, using meaningful names, thinking about 333 00:13:42.960 --> 00:13:46.679 security from the beginning, from the very start. And remember, 334 00:13:46.960 --> 00:13:48.000 learning is a journey. 335 00:13:48.559 --> 00:13:51.360 It's a marathon, not a sprint. It really is the 336 00:13:51.360 --> 00:13:52.720 world of cybersecurity. 337 00:13:53.120 --> 00:13:56.039 It's constantly changing, it's always evolving. So you got to 338 00:13:56.039 --> 00:13:59.600 say curious, Yeah, keep learning, keep exploring, never stop learning. 339 00:13:59.759 --> 00:14:03.080 Stop learning. There are tons of resources out there. There 340 00:14:03.120 --> 00:14:06.240 are online communities, books look like this. 341 00:14:06.200 --> 00:14:11.440 One, articles, conferences, podcasts, we're a podcast. 342 00:14:11.000 --> 00:14:12.720 All sorts of things to help you stay up to 343 00:14:12.799 --> 00:14:13.639 date exactly. 344 00:14:13.720 --> 00:14:14.399 You're not alone. 345 00:14:14.440 --> 00:14:18.240 And as you're learning and growing, always remember what's that 346 00:14:18.480 --> 00:14:20.879 Security isn't just about protecting data. 347 00:14:21.519 --> 00:14:23.039 It's about protecting people. 348 00:14:23.120 --> 00:14:24.000 It's about people. 349 00:14:24.200 --> 00:14:27.080 Yeah, the code we write it has. 350 00:14:27.000 --> 00:14:28.519 Real world consequences. 351 00:14:28.840 --> 00:14:29.200 It does. 352 00:14:29.279 --> 00:14:33.159 We have a responsibility developer to build applications. 353 00:14:32.480 --> 00:14:35.279 That are both powerful and secure. That's a good way 354 00:14:35.320 --> 00:14:35.759 to put it. 355 00:14:36.080 --> 00:14:38.600 So as you continue to explore the world of secure 356 00:14:38.679 --> 00:14:43.960 PHP development. Remember to balance functionality with security, and always 357 00:14:44.039 --> 00:14:45.600 keep that human element in mind. 358 00:14:45.639 --> 00:14:47.279 It's all about people, it is. 359 00:14:47.639 --> 00:14:49.360 Thanks for joining us on this deep dive. 360 00:14:49.519 --> 00:14:50.320 It's been a pleasure.