This month we are excited to be joined by Craig Francis to tell us about Ending Injection Vulnerabilities.

"How we can bring an end to Injection Vulnerabilities, by "distinguishing strings from a trusted developer, from strings that may be attacker controlled".

Presented at OWASP AppSec US 2021, this time I'll focus on the PHP implementation via static analysis tools Psalm and PHPStan, how it could work for everyone with `is_literal()`, and tempt the presentation gods with a few demos, including examples on how simple mistakes using Database and HTML Templating libraries can lead to Injection Vulnerabilities. This approach allows libraries to address these issues by checking the sensitive strings they receive (SQL/HTML/CLI/etc) do not contain user values. It will then be up to these well-tested libraries to handle user values safely; ideally via parameterised queries, but they can also escape values correctly.

Discussion during the talk is welcome (e.g. the inevitable question about SQL containing user defined field names, and parameterised IN(?,?,?)); I'm also happy to discuss on Twitter @craigfrancis, and a quick overview is available at https://eiv.dev/

Bio: I've been building websites over the last 20-something years, with a focus on Security, Accessibility, and Performance. At the moment I'm working on approaches to security that prevent developers from being able to make mistakes."

Interesting in speaking?

If you'd like to present or even do a lightning talk (5-20 minutes) at a future event, please get in touch!

Refreshments & sponsors

In the olden days, we'd have a physical meet-up where the venue and refreshments (drinks and snacks) would be provided courtesy of our sponsors. Despite not being able to take full advantage of their generosity, we continue to thank Invitial (https://www.invitial.com/) for their support, and to Oxford Centre for Innovation (https://www.ocfi.co.uk/) for use of the venue.

Code of Conduct

Please note that this meet-up is covered by our code of conduct (https://github.com/phpoxford/code-of-conduct/blob/master/code-of-conduct.md). We request that all attendees abide by the code of conduct at all times. Thank you!