I have announced this book when it was first published in December 2005, Nine years ago or almost ! Today we are sharing with you a more detailed review of this great book by Chris Shiflett, as I consider it as a reference for the PHP Security.
The first chapter is an introduction with generalities that you should know about PHP, PHP features, some default values, error reporting, exceptions .. etc. The most interesting in this part are the principles that Chris shared to develop secure applications which are :
- Defense in depth
- Least privilege
- Simple is beautiful
- Minimize exposure
Followed by some practices that you can use to develop secure applications. These practice are very clear and very well explained. If you focus just on this first chapter, you may reduce lots of insecurities from your apps and keep them more secure.
Second chapter focus on Forms and URLs, the reason why it cover XSS and CSRF among other common attacks. The first part dedicated to forms and data, and the second to semantic URL attacks. Then the file upload attacks, XSS and CSRF. Last but not least, the spoofed form submissions and HTTP requests.
The third chapter titled “Databases and SQL” as most PHP applications use databases and it’s very easy to fall into one of these “vulnerabilities”. The first issue is related to exposed access credentials, as some developers use default passwords or store credentials in an insecure files. Followed by SQL injection that you can protect yourself from it using prepared statements and parametrized queries as well as correctly configuring the connection. As the book was published in 2005, you will find the old-fashion of protecting from SQL injection which work also.
Securing your data and your database could be covered in a separate book, that’s why it’s not covered in this PHP security essentials.
Forth chapter talk about session and cookies, and the inherent risks associated with stateful web applications. The concept is very well explained and you will learn the basics steps to protect your users from these insecurities.
Chapter five and six discusses some general issues such includes, files and commands. Lots of generalities with very well explained samples.
The chapter seven is the most interesting one to most PHP developers, which is Authentication and Authorization. The chapter covered brute force attacks, password sniffing, replay attacks, and finally persistent logins.
A whole chapter is then dedicated to shared hosting, which covers the primary risks associated with shared hosting. Lots of work here is specific to infrastructure and not PHP, the reason why the book covered only few issues such as exposed source code, session data, session injection, filesystem browsing, and safe mode.
Overall, even if the book looks very old, the same old bugs and insecurities are available today. I’ll profit to ping Chris, if he’ll be curious to update his book ! Lots of new stuff could be added, such as some practical tips and tricks that most system admins used to do to keep their PHP installation safe and secure.
Order Essential PHP Security from Amazon if you did not already 😉