PHP Classes

Built-in Protection Against CSRF Security Attacks in PHP 7.1 - Lately in PHP podcast episode 72

Recommend this page to a friend!
  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog Built-in Protection A...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)  


Viewers: 1,133

Last month viewers: 1

Categories: Lately in PHP Podcast, News

Cross-Site Request Forgery (CSRF) are a type of security attacks that may cause user accounts to be abused, so attackers can make users perform actions inadvertently in a vulnerable site and cause serious problems to the users and the sites.

There is a new proposal for PHP 7.1 to provide built-in semi-automatic protection against CSRF attacks, so it will be easier for PHP developers to protect the sites they develop against this type of exploit.

That was one of the main topics discussed by Manuel Lemos and Arturs Sosins in the episode 72 of the Lately in PHP podcast hangout.

They also talked about other proposals for PHP 7.1, as well the election of two release managers that will take care of the steps necessary to release PHP 7.1 later this year on the planned schedule.

This article includes a transcript of the podcast summary.

Listen to the podcast, or watch the hangout video, or read the summary transcript to learn more about these interesting PHP topics.

Loaded Article


Introduction (0:20)

Summary (1:22)

PHP 5.5.36, 5.6.22, 7.0.7 released (5:13)

ImageMagick Vulnerability (11:50)

PHP 7.1 Release Managers Elected (13:44)

RFC: Allow loading extensions by name (15:32)

RFC: Semi-Automatic CSRF Protection (18:13)

RFC: Simple Annotations (21:01)

RFC: Fix inconsistent behavior of $this variable (24:56)

RFC: array_change_keys (28:03)

JavaScript Innovation Award Winners of February 2016 (30:52)

JavaScript Innovation Award Rankings of 2016 (35:41)

PHP Innovation Award Winners of February 2016 (38:10)

PHP Innovation Award Rankings of 2016 (48:28)

Conclusion (50:12)


Listen or download the podcast, RSS feed and subscribe in iTunes

Watch the podcast video, subscribe to the podcast YouTube channel

Transcript of the summary

Click on the Play button to listen now.

Download Size: 44MB Listeners: 1087

Introduction music Harbour used with explicit permission from the author Danilo Ercole, from Curitiba, Brazil

View Podcast in iTunes

In iTunes, use the Subscribe to Podcast... item of the Advanced menu, and then enter the URL above to subscribe to this podcast.

Watch the podcast video

Note that the timestamps below in the transcript may not match the same positions in the video because they were based on the audio timestamps and the audio was compacted to truncate silence periods.

See the Lately in PHP podcast play list on YouTube and Subscribe to this channel there.

Show notes

Summary Transcript

This month we don't have as many as RFCs as in the past month because the deadlines for steps of launch PHP 7.1, so people are not in a rush for new feature submission of proposal.

So as always we are going to start with the review of the latest PHP versions just, mention anything relevant. For now we will be talking PHP 5.5.35, PHP 5.6.2 and PHP 7.0.7.

Then we move on to talk about an issue of a vulnerability that was announced by the maintainer of ImageMagick, which is a a image processing extension that some people use in their PHP applications.

Then we start already talking about the proposal and the process of releasing PHP 7.1. And there was an election to choose the release managers of PHP 7.1 and we will mention it briefly in the podcast.

Then we start covering several more proposal that have talking about. One about allowing to specify the extension that you need in your PHP configuration just by name, a simple name rather than the file name path. This is to simplify the configuration to make it more portable between different enviroments.

Then we talk about an interesting new feature that aims to make it easier to protect exploits like cross-site request forgery, using special values that are setup in sections.

Then we talk about yet another proposal for annotations in PHP 7.1 . We comment about this in the last episode. So this is a new one.

Then we talk something that is not trivial to understand but is to forbid dynamical to do scope introspection. Basically is to forbid certain functions when you are making any calls to your code, I suppose this is for closures. We still need to debate about it.

Then finally there is a proposal for a new array function. PHP has many array functions, but this one aims to do something that is a little different that was not possible before.

You need to be a registered user or login to post a comment

Login Immediately with your account on:


No comments were submitted yet.

  Blog PHP Classes blog   RSS 1.0 feed RSS 2.0 feed   Blog Built-in Protection A...   Post a comment Post a comment   See comments See comments (0)   Trackbacks (0)