Book Rank: #41 in php
Paperback: 124 pages
Publisher: O'Reilly Media, Inc.; 1 edition (October 13, 2005)
Language: English
ISBN-10: 059600656X
ISBN-13: 978-0596006563
Product Dimensions: 9 x 6.9 x 0.4 inches
You've heard the nasty stories about PHP sites being wiped off the web by evil hackers? Sadly it's not scare-mongering as it does happen, and as much as we love PHP it needs proper security to keep your site safe from harm. Plenty of PHP books have the odd chapter on security but at last O'Reilly have published a whole volume dedicated to the cause, with all the code you'll need to keep everything in order. Each chapter covers a different aspect of the application, from form processing to database programming and session management. Written in a straight forward style, it's ideal for every PHP user, but at GBP20 you might expect a little more than just 100 pages." .NET, November 2005 "If you write PHP scripts, get a copy" - Alain Williams, news@UK, March 2006
Being highly flexible in building dynamic, database-driven web applications makes the PHP programming language one of the most popular web development tools in use today. It also works beautifully with other open source tools, such as the MySQL database and the Apache web server. However, as more web sites are developed in PHP, they become targets for malicious attackers, and developers need to prepare for the attacks.
Security is an issue that demands attention, given the growing frequency of attacks on web sites. "Essential PHP Security" explains the most common types of attacks and how to write code that isn't susceptible to them. By examining specific attacks and the techniques used to protect against them, you will have a deeper understanding and appreciation of the safeguards you are about to learn in this book.
In the much-needed (and highly-requested) "Essential PHP Security," each chapter covers an aspect of a web application (such as form processing, database programming, session management, and authentication). Chapters describe potential attacks with examples and then explain techniques to help you prevent those attacks.
Topics covered include:
- Preventing cross-site scripting (XSS) vulnerabilities
- Protecting against SQL injection attacks
- Complicating session hijacking attempts
You are in good hands with author Chris Shiflett, an internationally-recognized expert in the field of PHP security. Shiflett is also the founder and President of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world.
User Review:
You would think that with all of the books being published recently about PHP that everyone and his mother is writing PHP code. This may be true, but even if it is not, it is certain that many people and businesses are using PHP code, in concert with other applications like MySQL, to produce dynamic web sites. This is all well and good because PHP is a high-quality coding language especially well-suited to web applications. It is also open-source, meaning well-supported by a community of coders and developers and cost-free. The one problem is that, like all coding languages, poorly designed or written PHP applications can be security risks potentially allowing Internet miscreants to cause damage to web servers, hosts, and users. It appears to be the case that there are many, many instances of insecure PHP code in use, hence, the value in a targeted book on PHP security, like "Essential PHP Security", by Chris Shiflett.
The author is an internationally-known and accomplished expert on PHP security. He is the founder of the PHP Security Consortium, a group of volunteers who help educate the PHP community, and a well-known contributor to the PHP-general mail digest. The book is designed to provide security information and guidelines and explain the most common types of attacks and how to prevent or repel them.
"Essential PHP Security" is a slight volume of only 109 pages, including index. Shiflett wastes no time and immediately jumps into his topic, starting with his opinion on the use of the PHP concept of "register globals", a configuration setting which he recommends against using in favor of "superglobal arrays". He next turns to how to configure your web server setup to properly deal with error reporting, both for the developer's use and to prevent providing clues to any interloper trying to illegally access your site.
The balance of Chapter 1 itemizes general principles of Internet security: Defense in Depth - redundantly using more than one technique to secure your site; Least Privileges - writing code to minimize access to the least needed for any particular user's needs; Simple is Beautiful - the writing of clear, simple code, to make troubleshooting and auditing easier; and Minimize Exposure - taking steps to design and implement programs to eliminate or at least minimize display of sensitive data or code - don't even store credit card information unless absolutely necessary, he suggests.
Next, comes "Best Practices" - balancing risk vs. usability, keeping track of data, filtering of all input, escaping output, and in all cases, distinguishing between filtered and tainted data. These principles and practices are illustrated with short code snippets comparing insecure vs. more secure code.
The next seven chapters deal with specific elements of a website, the types of attacks that can occur with each, and tips and suggestions on how to deal with these attacks. These elements include vulnerabilities in forms and URLs, databases and SQL, sessions and cookies, PHP "include" files, files and commands, authentication and authorization, and shared hosting.
The author credibly describes by examples the types of attacks against forms and URLs - cross-site scripting, cross site request forgeries, spoofing of forms, and insecure Raw HTTP requests. Authentication attacks include dictionary attacks, password sniffing, replay attacks, and cookie stealing. For each, he briefly describes how the attacks work, shows examples of insecure code, and provides examples of secure code.
For each of the elements dealt with, the author follows the same model: describe briefly the types of attacks against each element, show conventionally-used insecure code, and show how to eliminate the insecure parts of the code. Most of the security defenses entail filtering data from outside sources, especially form input, email, and XML documents from other web applications. Other defense techniques include using SSL for encrypted data transmissions, strengthening identification methods, hard-coding file paths, and using token techniques in addition to PHP encryption functions. Interestingly, Schiflett believes it is impossible to achieve a high level of security in a shared hosting situation. He provides suggestions on what security measures will help the most.
What is most useful about this book is the aggregation in one place of descriptions of all of these security attacks, and vulnerabilities in PHP code, along with suggestions on dealing with them. The organization of the material is good, however. I believe the author falls short in his code examples. There appears to be a disconnect between the descriptive text (which is clear enough) and the examples, which are not, at least to me, a novice in PHP. I could not readily follow the detailed code segments, although I could understand in principle what was going on.
Some of the code segments were barely explained and some were inadequately explained. The concepts of the attacking techniques were understandable, but the detailed implementations were not. There are a small handful of illustrations, but I found them too simplistic and inadequate. To be fair, this may be a failure of the reviewer. More experienced PHP folks may not complain about the presentations. For them, this book gives them what they need to know about handling the security aspects of their applications, but my guess is that it is the less accomplished coders who need the most help (although those same people are probably writing the types of applications and sites least likely to be targeted by miscreants.)
There are three short appendices presenting suggestions on how to configure a PHP installation to minimize weaknesses, suggestions about avoiding certain powerful PHP functions, especially system commands, to minimize risk, and a short segment on cryptography features in PHP.
Free Download:
No comments:
Post a Comment