Pro PHP Security

Current Projects: PHP on XP Guide — NFO Viewer — Easy Reflections — Photon Storm — HotWire — FileGlider

Thursday, November 3. 2005

Pro PHP Security (Apress) by Chris Snyder

This is a pretty comprehensive security book and the largest currently available, with a page count of 500. Not that this is an indication of the quality of the content mind you, but it's good to know that they cover many topics in some depth.

Split into several parts you don't actually touch any real PHP code until Part 3 (page 229). The early chapters of the book cover topics such as Secure Network Connections, User Authentication, SSL, Encryption Theory and Best Practises. All general (and server / network) specific topics that could apply to any language.

But from Part 3 onwards things start to get a little more interesting. You cover Validating User Input first and then a whole host of what I consider the "regulars" such as Preventing Cross-Site Scripting, SQL Injections, Remote Execution and Session Hijacking.

Part 4 puts most of the previous theories into practise as you work through common security situations such as: "Allowing only human users", the verification of them, user roles and actions and user accountability. If you were to implement every recommendation from these chapters you could easily build up a formidable (and secure) php user management system. Considering this is the heart of nearly all web apps, this is no bad thing. The rest of the book is finished off with 4 chapters back in the more general land of security, covering "Preventing Data Loss", "Safely Executing System Commands", "Handling Remote Procedure Calls Safely" and finally "Taking Advantage of Peer Review".

If you tend to code and deploy into a secured environment, i.e. you already have a good system administrator or a managed hosting solution, then large chunks of this book won't be directly relevant to you. There is never any harm in understanding what precautions a sys admin has to go through, indeed I've heard it said that you cannot write a truly secure application unless you realise its implications across the entire server, irrespective of if you're responsible for the server or not.

The book is well presented, factual and the tone of writing is perfectly balanced and not too dry or ad-hoc. Given the rapidly increasing range of PHP related security books I'd have to say that if you want the bigger overall picture, it's worth looking at. Otherwise I'd probably direct you more towards Ilia's Guide to PHP Security.

Posted by Richard Davey in My Bookshelf at 13:56 | Comments (2) | Trackbacks (3)

Trackbacks

Trackback specific URI for this entry

No Trackbacks

Comments

Display comments as (Linear | Threaded)

Have you seen the Shiflett book? I actually like that it only has the relevant stuff - saves me time from wading through the bloat.

#1 Richard on 2005-11-05 00:53 (Reply)

I've got it on order, so it should arrive soon (Amazon.co.uk being nice and slow with a few items). I thought that the php architect book was good for the reaso you stated - i.e. it gets right down to it, no messing around. I'll post my review of that shortly!

#1.1 Richard Davey (Homepage) on 2005-11-05 01:19 (Reply)

Add Comment

Name
Email
Homepage
In reply to
Comment	HTML-Tags will be converted to Entities. Standard emoticons like :-) and ;-) are converted to images. To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly. Enter the string from the spam-prevention image above:
	Remember Information? Subscribe to this entry