Customer Reviews: Essential PHP Security
Automotive Deals HPCC Amazon Fashion Learn more Discover it Pink Floyd Fire TV Stick Happy Belly Coffee Handmade school supplies Shop-by-Room Amazon Cash Back Offer angrybirds angrybirds angrybirds  Amazon Echo  Echo Dot  Amazon Tap  Echo Dot  Amazon Tap  Amazon Echo Introducing new colors All-New Kindle Oasis AutoRip in CDs & Vinyl Segway miniPro

Format: Paperback|Change
Price:$23.61+ Free shipping with Amazon Prime
Your rating(Clear)Rate this item

There was a problem filtering reviews right now. Please try again later.

VINE VOICEon November 2, 2005
You would think that with all of the books being published recently about PHP that everyone and his mother is writing PHP code. This may be true, but even if it is not, it is certain that many people and businesses are using PHP code, in concert with other applications like MySQL, to produce dynamic web sites. This is all well and good because PHP is a high-quality coding language especially well-suited to web applications. It is also open-source, meaning well-supported by a community of coders and developers and cost-free. The one problem is that, like all coding languages, poorly designed or written PHP applications can be security risks potentially allowing Internet miscreants to cause damage to web servers, hosts, and users. It appears to be the case that there are many, many instances of insecure PHP code in use, hence, the value in a targeted book on PHP security, like "Essential PHP Security", by Chris Shiflett.

The author is an internationally-known and accomplished expert on PHP security. He is the founder of the PHP Security Consortium, a group of volunteers who help educate the PHP community, and a well-known contributor to the PHP-general mail digest. The book is designed to provide security information and guidelines and explain the most common types of attacks and how to prevent or repel them.

"Essential PHP Security" is a slight volume of only 109 pages, including index. Shiflett wastes no time and immediately jumps into his topic, starting with his opinion on the use of the PHP concept of "register globals", a configuration setting which he recommends against using in favor of "superglobal arrays". He next turns to how to configure your web server setup to properly deal with error reporting, both for the developer's use and to prevent providing clues to any interloper trying to illegally access your site.

The balance of Chapter 1 itemizes general principles of Internet security: Defense in Depth - redundantly using more than one technique to secure your site; Least Privileges - writing code to minimize access to the least needed for any particular user's needs; Simple is Beautiful - the writing of clear, simple code, to make troubleshooting and auditing easier; and Minimize Exposure - taking steps to design and implement programs to eliminate or at least minimize display of sensitive data or code - don't even store credit card information unless absolutely necessary, he suggests.

Next, comes "Best Practices" - balancing risk vs. usability, keeping track of data, filtering of all input, escaping output, and in all cases, distinguishing between filtered and tainted data. These principles and practices are illustrated with short code snippets comparing insecure vs. more secure code.

The next seven chapters deal with specific elements of a website, the types of attacks that can occur with each, and tips and suggestions on how to deal with these attacks. These elements include vulnerabilities in forms and URLs, databases and SQL, sessions and cookies, PHP "include" files, files and commands, authentication and authorization, and shared hosting.

The author credibly describes by examples the types of attacks against forms and URLs - cross-site scripting, cross site request forgeries, spoofing of forms, and insecure Raw HTTP requests. Authentication attacks include dictionary attacks, password sniffing, replay attacks, and cookie stealing. For each, he briefly describes how the attacks work, shows examples of insecure code, and provides examples of secure code.

For each of the elements dealt with, the author follows the same model: describe briefly the types of attacks against each element, show conventionally-used insecure code, and show how to eliminate the insecure parts of the code. Most of the security defenses entail filtering data from outside sources, especially form input, email, and XML documents from other web applications. Other defense techniques include using SSL for encrypted data transmissions, strengthening identification methods, hard-coding file paths, and using token techniques in addition to PHP encryption functions. Interestingly, Schiflett believes it is impossible to achieve a high level of security in a shared hosting situation. He provides suggestions on what security measures will help the most.

What is most useful about this book is the aggregation in one place of descriptions of all of these security attacks, and vulnerabilities in PHP code, along with suggestions on dealing with them. The organization of the material is good, however. I believe the author falls short in his code examples. There appears to be a disconnect between the descriptive text (which is clear enough) and the examples, which are not, at least to me, a novice in PHP. I could not readily follow the detailed code segments, although I could understand in principle what was going on.

Some of the code segments were barely explained and some were inadequately explained. The concepts of the attacking techniques were understandable, but the detailed implementations were not. There are a small handful of illustrations, but I found them too simplistic and inadequate. To be fair, this may be a failure of the reviewer. More experienced PHP folks may not complain about the presentations. For them, this book gives them what they need to know about handling the security aspects of their applications, but my guess is that it is the less accomplished coders who need the most help (although those same people are probably writing the types of applications and sites least likely to be targeted by miscreants.)

There are three short appendices presenting suggestions on how to configure a PHP installation to minimize weaknesses, suggestions about avoiding certain powerful PHP functions, especially system commands, to minimize risk, and a short segment on cryptography features in PHP.
0Comment| 45 people found this helpful. Was this review helpful to you?YesNoReport abuse
on December 31, 2008
I really wanted to write a glowing review of Mr. Shiflett's book, Essential PHP Security, but I can't help but dissapointed by the weaknesses.

The author's blog ([...]) and PHP security website ([...]) are good sources of information on PHP security and web creation in general. With the wisdom hinted at via his websites, I looked forward to more in depth insights and specifics in his book. Unfortunately for Mr. Shiflett, writing a book is not like writing 'bites' for a blog or marketing yourself as experienced and knowledgable. This book reads like an anthology of blog articles and seminar presentations and that weakness kills what should otherwise really be an essential text.

As another helpful reviewer pointed out, this book is a not appropriate for new PHP programmers. That reviewer also noted that it is precisely new initiates to PHP that need these lessons the most. The protective measures suggested in the book are presented superficially. The author highlights the vulnerability, but then only hints at a protective measure by providing a code snip-it which totally lacks context. Most novice readers expect examples of how to apply and integrate the suggested technique effectively and efficiently within the basics they already know.

Mr. Shiflett writes in his acknowledgements, "Written during one of the busiest years of my life ... [the people at O'reilly] have gone out of their way to make the entire process fit around my writing style and busy schedule."

Smoking gun?

For a full price book, the author had room, but perhaps not the desire to provide more substance. Concise does not have to be superficial. The book's main content is 85 pages -- followed by three appendices between pages 87 and 103. The index runs between pages 105 and 109. Substantive implementation details are missing and should have been included.

For example, in chapter 1 and later in chapter 2, the author recommends filtering input by identifying input, filtering the input, and distinguishing between filtered and unfiltered (tainted) data. This recommendation is explicitly explained twice in the book and repeated throughout. If you expect any examples demonstrating this in practical use, there are none. If you expect a class that exemplifies a way you might integrate this technique with your exsisting code, there is none. In other words, if you want to learn even remotely by example, you may be disappointed by this book.

As a last note, Appendix C talks briefly about cryptography in PHP. Based on this book, cryptography does not appear to be one of the author's strong areas of knowledge. For new PHP programmers who also work with SQL, Mr. Shiflett gives you just enough information to frustrate you (at best -- or hang yourself at worst). The author lists a number of other books and websites about cryptography on the first page of the Appendix. That is his best advice. Also take a look at [...] as an information resource.

In sum, I don't argue with the value of the hints Mr. Shiflett provides in his book, but this book is weak on substance and does not provide the examples necessary to teach the reader that the suggestions are practical for real implementation. Perhaps instead of this book, the many authors of the "How to PHP and MySQL" clone books need to integrate and implement these protective measures in their texts right from the start. Unfortunately, Mr. Shiflett's book does not bridge the existing gap. If you buy this book, expect to be searching other books and the web for ways to effectively and efficiently perform the tasks the author recommends. If you already know how to implement the measures, you probably did not need this book in the first place.
0Comment| 17 people found this helpful. Was this review helpful to you?YesNoReport abuse
on November 22, 2005
This long awaited work from who many refer to as the guru of PHP security is finally out.

I must say though, when it arrived in the mail, I was a bit surprised by the package. Rather than the typical book box you get, it was in a padded envelope and upon opening the package I saw that the book was a mere 109 pages (with appendices starting on page 87).

As I began to read the book, I started to realize some of the reasons for the small size. Chris stays completely on topic with PHP security and doesn't meander into subjects such as Linux server administration and security, which other (larger) texts do to quite a large extent. I acually went to another PHP security text I had recenty read, and if I took out the sysadmin sections, it left about the same amount of pages as Chris's book. Also Chris's approach to PHP security seems to be a very 'keep it simple one'. He doesn't get into elaborate security frameworks and application layers. He simply defines a PHP security issue, and provides a strait forward and simple solution for the problem. I agree with this approach since over engineering a solution, breeds complexity and complexity can easily mask, you guessed it, "security issues".

I would say what I liked most about this book is that he brought to light the security concerns when running on a shared host. I think this topic if very often neglected on the majority of PHP security articles and texts even though many of us use shared hosting due to how cheep it is. Chris devotes an entire chapter to the situation and clearly explains the vast security risks that come with shared hosting and gives examples of how to mitigate the risks.

I would actually recommend this book to just about any PHP programmer for the simple fact that it is a great catalog of PHP security risks to date and offers simple solutions to counter those risks. Since it is a quick read it is an excellent way to quickly see if you have your bases covered when it come to security of your PHP app. Some of the examples are a bit brief, but the fact that you have read Chris's book and been alerted to the security issue is the real value in the end. You can always go to [...] or other sites for expanded examples.

"Knowing is half the battle"

GI Joe
0Comment| 11 people found this helpful. Was this review helpful to you?YesNoReport abuse
on October 23, 2005
This book helped me identify and report a critical security vulnerability in a commercial third party PHP application we were planning to deploy in a business-critical fashion. For that alone, it was worth its weight in gold.

This books is the antidoe to the common misperception that PHP applications fall short on security. With sparkling clarity, Chris demystifies dozens of attacks and provides both solid theoretical and practical bases for coding securely in PHP. Throughout his work as a PHP security consultant, and culminating in this book, Chris has defined the lexicon for web security -- telling us precisely what it means to filter input, and precisely what it means to escape output -- as well as when, how and why. This is nothing short of a defining work on web application security as it applies specifically to PHP.

While this book does not cover using encoders (like the Zend Encoder or IonCube Encoder) to heighten security in a plain-text scripting language, every other topic you would expect to be covered is treated -- above all -- with accuracy, and all in just over a hundred pages. Where other authors might potificte to fill pages, Chris crafted this book to live up to its title -- it is indeed essential, distilled, and precise. Therefore there is little excuse from this point on to not have read it at least once, and thumb through it from time to time when developing or auditing a PHP application. I intend to make it required reading in my department, and recommend it highly to colleagues in other companies developing web applications in PHP.
0Comment| 17 people found this helpful. Was this review helpful to you?YesNoReport abuse
on November 8, 2005
This is the first technical book that I have read that doesn't obscure the topic with trivial details or complicated sentence structures with phrasing that is hard to follow. The thing I like best about the book is that it introduces a technique in detail and uses it throughout the book. Because every chapter refers back to the original "filter input, escape output" theme coupled with defense in depth, it forces the user to concentrate on a single, simple method and apply it to many different situations.

The example code segments in the book illustrate specific points described in the copy very well. Keeping the code examples simple only strengthens its meaning since the reader is not forced to analyze the code. Additional comments in the examples may be helpful for inexperienced developers.

In addition providing insight on filtering input and escaping output, Chris also gives the reader insight to a very helpful way of dealing with the filtered/escaped data within the code. This method is illustrated in all the examples, and as the reader notices it used throught the book they can learn its usefulness by example.
0Comment| 9 people found this helpful. Was this review helpful to you?YesNoReport abuse
on November 23, 2005
As far as technical books go, I liked this one. It really does get right to the point, and doesn't waste any time. But I do want to warn potential buyers that the book doesn't contain anything new to those who've been around the block a couple times. I'd say this book would only be informative to novice PHP programmers.

I've been programming with PHP for a few years now, and even when I read a book aimed at novices I usually learn something, or I'm at least reminded of some issues that I hadn't thought about in a while. I can't say the same about this book. I read it front to back within an hour, and didn't learn anything new, nor will it provide any kind of reference for future projects.

Overall I was disappointed, but that isn't necessarily the author's fault. I was just expecting something more in-depth.
0Comment| 17 people found this helpful. Was this review helpful to you?YesNoReport abuse
on December 5, 2005
I found this book very helpful. The language is easy to understand and the examples are clear and concise. The mantra 'filter input, escape output' is repeated throughout the book but is accompanied by examples of attacks and preventions. I found that repetition helpful. It is much easier to take the advice and apply it to my own needs than having a book with a finite list of applications and their possible holes.
0Comment| 6 people found this helpful. Was this review helpful to you?YesNoReport abuse
on March 17, 2012
This book has 7 chapters (Chapters 2 through 8) devoted to the 7 issues. The material is superficial, it does not cover many, many other issues related to PHP Security.

At best, the whole book feels like a quickly written computer magazine article, not a good, comprehensive book.

Not worth the money. Just do a search for "PHP Security" on the internet and read a few articles and you will know more than this book.
0Comment| 3 people found this helpful. Was this review helpful to you?YesNoReport abuse
on February 18, 2013
This is an excellent read for anyone, not just those using PHP. The provided information is very nicely laid out with very fluff but good practical understanding and application. A must read for anyone doing any professional programming.
0Comment| One person found this helpful. Was this review helpful to you?YesNoReport abuse
on April 26, 2012
About 15 years ago, PHP was still missing a lot of features that, today, programmers take for granted. PHP also lagged significantly in adding features critical to secure software.

Unfortunately, during the interim, a set of "best practices" emerged that involved doing things like salting passwords and using a function named "mysql_real_escape_string" (so named because "mysql_escape_string" and similar functions were found to be inadequate protection.) Indeed, while these were the best ideas at the time when the language lacked a lot of features, they are now considered *worst* practices, and are of little use. Instead, programmers should use parametric queries with bound parameters and bcrypt-style hashing of passwords - but the book barely mentions them at all, and relegates these superior practices to mere footnotes.

Burn this book. The author is ignorant of real security threats and is 15 years out of date.
11 comment| 3 people found this helpful. Was this review helpful to you?YesNoReport abuse