Essential PHP Security
While only a small book (fortunately) it covers all of the major areas of security and presents you with techniques for blocking (or at least minimizing the effects of) an attack against your code. A must have book for any PHP programmer.
- Separate chapters cover each of the main areas of PHP coding where security can be compromised.
- Provides simple techniques that can be followed to improve the secuirty of your application.
- Demonstrated defensive coding techniques that should block even newly discovered exploits.
- Simple coding examples demonstrate each technique.
- Independent techniques can be applied to your code separately allowing you to improve on security in stages.
- Techniques are not plug and play - they need to be interpreted in terms of what your script is actually doing.
- First Edition: October 2005
- 109 page paperback
- Published by O'Reilly Media
- ISBN: 0-596-00656-X
- A Guide to Building Secure Web Applications
- Author Chris Shiflett
As this book says right at the start, it is not PHP itself that is insecure, it is the way that people write their PHP applications that make their script more or less secure. In this book the author discusses PHP coding and security with respect to a number of areas, each having its own chapter.
- Forms and URLs
- Databases and SQL
- Sessions and Cookies
- Files and Commands
- Authentication and Authorization
- Shared Hosting
Each chapter discusses a number of ways in which your code could be potentially vulnerable to attack and then presents you with methods of writing that code which will block all (or at least most) such attacks while minimizing the impact that the security code has on the use of your script by your legitimate visitors. Sample code snippets are provided in the book to demonstrate how to apply many of the techniques being discussed. Of course the exact implementation in your particular script is dependent on the requirements of the script and so the actual implementation of the security suggestions into your script are left to you.
There is no plug and play solution when it comes to security. Sure you can find pieces of PHP code on the internet which can be plugged into your script to protect against specific attacks but the author does not advocate this approach. Instead the book presents a selection of defensive coding techniques that should dramatically improve the security of your script in the first place and make the use of such plug and play code completely unnecessary as your code will already block not only the specific exploit covered by the code but also many possible variations on that method of attack.
This book presents much more than just a way to secure your code against a list of known and potential exploits. It presents an approach to writing your scripts where security is an integral part of the script design process rather than being tacked on as an afterthought.