- Paperback: 126 pages
- Publisher: O'Reilly Media; 1 edition (October 23, 2005)
- Language: English
- ISBN-10: 059600656X
- ISBN-13: 978-0596006563
- Product Dimensions: 7 x 0.3 x 9.2 inches
- Shipping Weight: 8 ounces (View shipping rates and policies)
- Average Customer Review: 36 customer reviews
- Amazon Best Sellers Rank: #1,299,508 in Books (See Top 100 in Books)
Enter your mobile number or email address below and we'll send you a link to download the free Kindle App. Then you can start reading Kindle books on your smartphone, tablet, or computer - no Kindle device required.
To get the free app, enter your mobile phone number.
Other Sellers on Amazon
+ Free Shipping
+ $3.99 shipping
Essential PHP Security Paperback – October 20, 2005
|New from||Used from|
Frequently bought together
Customers who bought this item also bought
About the Author
Chris Shiflett, an internationally recognized expert in the field of PHP security, is the founder and President of Brain Bulb, a PHP consultancy. Chris has been developing web applications with PHP for several years and regularly speaks at OSCON, ApacheCon, and PHP users conferences in North America. He is the author of the HTTP Developer's Handbook (Sams) and writes frequently about web application security. As an open source advocate, he maintains several open source projects and is a member of the PHP development team.
Try the Kindle edition and experience these great reading features:
Read reviews that mention
Showing 1-8 of 36 reviews
There was a problem filtering reviews right now. Please try again later.
Chris' book is great. It's chocked full of easy to understand explanations and little five line code fragments to demonstrate what he's explaining. Sure enough, if you read the whole thing, you'll understand the essentials of PHP Security. Hey - perhaps that explains the title?
Do I need this book if my company already uses web scanning security software? Yes - you won't understand the problems that those products identify if you don't understand PHP security basics. If you don't understand reported errors, You'll be tempted to ignore or suppress warnings that you don't understand. Chris' book will give you the knowledge that you need in a few easy to follow pages.
There are a few ommissions. They include:
OMISSION #1: The book should mention somewhere that many of the security vulnerabilities it describes are not unique to PHP - especially big ones like cross-site scripting and SQL injection. While PHP has some vulnerabilities that other languages do not (and vis-versa), Java, C#, Ruby, and all the other server-side languages can also be attacked with cross-site scripting, SQL injection, session spoofing, cookie theft, backdoor URLs, etc., etc.
OMISSION #2: The book would have benefited from the addition of a page of system administration best practices to improve security rather than confining itself only to coding best practices. For example, it's easy for developers to accidentally open security holes by making very small changes to the PHP.ini file. A good best practice is to use the operating system to restrict access to that file in the production environment. Or it would have good to see Chris distill role-based security administration policies, logging, or remote procedure call policies down to just the most important principles. He has a knack for filtering out the noise, and if he had added that additional 86th page, I swear I would have read it too.
OMISSION #3: It's worth mentioning how modular design has a very big impact on the number of vulnerabilities inside an application. This is especially important for PHP, because PHP code is often a little more haphazard than code written in other languages - primarily because of the culture that surrounds PHP but also for a few other reasons (we cover those reasons in the PHP Chapter of our own book on the strengths and weaknesses of various technologies).
These criticisms are very minor. The book is short, easy-to-read, and filled with information that is absolutely essential to know if you are to responsibly deploy a server-side PHP application. Look at the table of contents. If you're not familiar with those terms, you'd better get the book.
Web Service and SOA Technologies
It was a shorter book than I was expecting (yes, that's my goof for not noticing the page count when I purchased it) however I'm glad that I didn't notice that fact before purchasing otherwise I might have overlooked it as more of a reference book rather than a teaching book. I was very happy with the book and would recommend it to anyone interested in some solid best practices for PHP security.
Unfortunately, during the interim, a set of "best practices" emerged that involved doing things like salting passwords and using a function named "mysql_real_escape_string" (so named because "mysql_escape_string" and similar functions were found to be inadequate protection.) Indeed, while these were the best ideas at the time when the language lacked a lot of features, they are now considered *worst* practices, and are of little use. Instead, programmers should use parametric queries with bound parameters and bcrypt-style hashing of passwords - but the book barely mentions them at all, and relegates these superior practices to mere footnotes.
Burn this book. The author is ignorant of real security threats and is 15 years out of date.
At best, the whole book feels like a quickly written computer magazine article, not a good, comprehensive book.
Not worth the money. Just do a search for "PHP Security" on the internet and read a few articles and you will know more than this book.