"Essential PHP Security", Chris Shiflett, 2006, 0-596-00656-X,
%A Chris Shiflett shiflett.org
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%I O'Reilly & Associates, Inc.
%O U$29.95/C$41.95 707-829-0515 fax: 707-829-0104 nuts@...
%O Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P 109 p.
%T "Essential PHP Security"
PHP is an acronym (albeit a somewhat recursive one, standing for PHP:
Hypertext Preprocessor) but neither the foreword, preface, book, nor
index expands it. Similarly, the intent of the book is not clarified
in either the foreword or the preface.
Chapter one does state that the purpose of the text is to teach how to
write secure code (with security left undefined) using features unique
to PHP. However, only two such distinctive functions are listed in
this section, and they are not explained very well. (Three appendices
at the end of the work do list some PHP commands related to the
security conventions noted.) More space is devoted to general
application development principles and practices for safe programming.
Even there the solutions provided are outlined in terms of source code
rather than text, and the content requires an intimate knowledge of
PHP in order to derive value from the lessons presented. In
discussing forms and URLs (Uniform Resource Locators), chapter two
distinguishes between filtered and tainted data, as well as GET and
POST form submissions, but does not initially examine the possibility
of user observation and deliberate malforming of submitted data.
Where details are provided on security, they are introduced with
coding examples, and, again, the effectiveness of the proposed
solutions are unclear unless the reader is well familiar with PHP
internals. The database and SQL (Structured Query Language)
programming styles suggested in chapter three are good, but it is far
from clear that the filtering recommended will, in fact, prevent all
possibility of SQL injection attacks. Chapter four examines sessions
and cookies: the explanations here also rely on understanding the
Chapter five, in talking about includes, is mostly concerned with
placing the files outside the root directory. Much the same emphasis
is present in regard to files and commands (particularly with respect
to file traversal) in chapter six, although there is some discussion
of command injection. Once again, the specifics in regard to
authentication and authorization are material only in the source code
examples in chapter seven. The text of chapter eight explicitly
admits that the ability to address security issues in shared hosting
environments is weak.
For those who are thoroughly experienced in PHP programming, this book
does recommend styles that can result in more secure Web applications.
However, novice programmers, or even programmers experienced in other
languages, will have difficulty using the material effectively.
copyright Robert M. Slade, 2007 BKEPHPSC.RVW 20071123
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
In answer to the question of why it happened, I offer the modest
proposal that our Universe is simply one of those things which
happen from time to time. - Edward P. Tryon