| Author | Ilia Alshanetsky |
| Publisher | Marco Tabini & Associates, Inc |
| Year | 2005 |
| ISBN | 0973862106 |
| Pages | 201 |
Core PHP developer on security. Covers both PHP 4 & 5.
From table of contents
# Input validation
# Cross-site Scripting Prevention
# SQL Injections
# Code Injections
# Command Injections
# Session Securitiy
# Securing File Access
# Security Through Obscurity
# Sandboxes and Tar Pits
# Securing Your Applications
A sentence in the introduction best sums up what this book is about, “..two goals: to explain the common types of security shortcomings that plagues PHP applications and to provide simple and efficient remedies to those problems”. On both goals I think Ilia has succeded. Chapter by chapter he takes the reader through common issues of web based PHP apps, and shows scenarios when an application can become vunerable.
Code samples are kept short and to the point. There is also a fair amount of discussion around PHP settings, and when they can be a help or even a hinderance. Various remedies are provided, with discussion of pros and cons on criteria such as efficiency.
The final chapter provides a wide ranging checklist of steps to follow when dealing with an exisiting system. It is based on the 9 chapters before, and provides a framework for a system security review. A very good overview. The writing is style is well balanced given the subject matter which could make for a dry read, but it also avoids being too light.
On occasion I found the need to stop, and go back for a 2nd or 3rd read of a particular section for greater clarity. This is not a book for a PHP/programming newbie, as it assumes a fair amount of programming knowledge and experience.
Recommended for anyone putting their code out to face the public. Best summed up by a quote from page 35. “Trusting a user is like placing a 5-year old behind the wheel of a monster truck : there’s just too much potential for mayhem.”