Essential PHP Security

By Paladion

December 15, 2005

Due to its simplicity and ease of deployment, the popularity of the PHP programming language in web development has soared in the last few years. But PHP developers, for long, have overlooked security issues when creating PHP web applications. This book by Chris Shiflett explains the essential techiniques in coding for a PHP web application.

Essential PHP SecurityIn contrast to the 90's fad of huge dotcom spends on ‘high end’ web solutions, the year 2000 has seen the rise of the open source web development platform. A new term was coined for the platform – LAMP, standing for Linux + Apache + MySQL + PHP / Perl / Python. The PHP programming language quickly became the most popular of all web development tools because of its simplicity, interoperability and ease of use.

However this popularity has had a reverse effect also. Like in any popular programming language, poorly designed or coded PHP applications can potentially allow miscreants to cause damage to servers, users and most importantly, information. Off late there have been numerous instances of attacks on PHP applications because of the use of insecure code. This is where Essential PHP Security comes in.

This concise 120 page book is divided into seven chapters, each of which explains web application vulnerabilities and how these can be tackled in the PHP language. The key security issues covered are:

  1. Cross site scripting
  2. SQL injection attacks
  3. Session hijacking and cookie theft
  4. Code and command injection
  5. Brute force and replay attacks
  6. Password sniffing and persistent logins

Having an ‘attack-based’ approach to the book has its advantages. Using simple language, the book comes to the point directly without wasting your time and obscuring details. It is pretty evident to the reader on what applies to him and what does not. There are code examples to explain how attacks can be carried out and how to protect against them.

Each chapter takes a specific component of a website. It describes the types of attacks that are possible on that component. It also explains how insecure code can be misused. Finally it offers solutions and suggestions with examples that can be used to deal with these attacks. The book also has a companion website which provides the errata and code examples from the book.

On the other hand, the book is not comprehensive enough to cover all the known coding mistakes in the PHP language. Newer and advanced security issues in areas like SOAP and AJAX are not covered. Also, some code examples are not explained in fair detail. The number of illustrations throughout the book is also less. Novices may find a problem understanding some of the coding principles used in the solution examples.

The book sticks to its title. It covers basic and essential PHP security. The key idea that Chris wants to communicate through the book is to ‘filter input and escape output’. This simple method goes a long way in ensuring security in PHP web applications. It is a recommended read for developers starting in PHP programming. Regular coders may find the book useful as a reference.

Tags: Review