Loading ...
Sorry, an error occurred while loading the content.

REVIEW: "Essential PHP Security", Chris Shiflett

Expand Messages
  • Rob, grandpa of Ryan, Trevor, Devon & Han
    BKEPHPSC.RVW 20071123 Essential PHP Security , Chris Shiflett, 2006, 0-596-00656-X, U$29.95/C$41.95 %A Chris Shiflett shiflett.org %C 103 Morris Street,
    Message 1 of 1 , Mar 31, 2008
      BKEPHPSC.RVW 20071123

      "Essential PHP Security", Chris Shiflett, 2006, 0-596-00656-X,
      %A Chris Shiflett shiflett.org
      %C 103 Morris Street, Suite A, Sebastopol, CA 95472
      %D 2006
      %G 0-596-00656-X
      %I O'Reilly & Associates, Inc.
      %O U$29.95/C$41.95 707-829-0515 fax: 707-829-0104 nuts@...
      %O http://www.amazon.com/exec/obidos/ASIN/059600656X/robsladesinterne
      %O http://www.amazon.ca/exec/obidos/ASIN/059600656X/robsladesin03-20
      %O Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
      %P 109 p.
      %T "Essential PHP Security"

      PHP is an acronym (albeit a somewhat recursive one, standing for PHP:
      Hypertext Preprocessor) but neither the foreword, preface, book, nor
      index expands it. Similarly, the intent of the book is not clarified
      in either the foreword or the preface.

      Chapter one does state that the purpose of the text is to teach how to
      write secure code (with security left undefined) using features unique
      to PHP. However, only two such distinctive functions are listed in
      this section, and they are not explained very well. (Three appendices
      at the end of the work do list some PHP commands related to the
      security conventions noted.) More space is devoted to general
      application development principles and practices for safe programming.
      Even there the solutions provided are outlined in terms of source code
      rather than text, and the content requires an intimate knowledge of
      PHP in order to derive value from the lessons presented. In
      discussing forms and URLs (Uniform Resource Locators), chapter two
      distinguishes between filtered and tainted data, as well as GET and
      POST form submissions, but does not initially examine the possibility
      of user observation and deliberate malforming of submitted data.
      Where details are provided on security, they are introduced with
      coding examples, and, again, the effectiveness of the proposed
      solutions are unclear unless the reader is well familiar with PHP
      internals. The database and SQL (Structured Query Language)
      programming styles suggested in chapter three are good, but it is far
      from clear that the filtering recommended will, in fact, prevent all
      possibility of SQL injection attacks. Chapter four examines sessions
      and cookies: the explanations here also rely on understanding the
      source code.

      Chapter five, in talking about includes, is mostly concerned with
      placing the files outside the root directory. Much the same emphasis
      is present in regard to files and commands (particularly with respect
      to file traversal) in chapter six, although there is some discussion
      of command injection. Once again, the specifics in regard to
      authentication and authorization are material only in the source code
      examples in chapter seven. The text of chapter eight explicitly
      admits that the ability to address security issues in shared hosting
      environments is weak.

      For those who are thoroughly experienced in PHP programming, this book
      does recommend styles that can result in more secure Web applications.
      However, novice programmers, or even programmers experienced in other
      languages, will have difficulty using the material effectively.

      copyright Robert M. Slade, 2007 BKEPHPSC.RVW 20071123

      ====================== (quote inserted randomly by Pegasus Mailer)
      rslade@... slade@... rslade@...
      In answer to the question of why it happened, I offer the modest
      proposal that our Universe is simply one of those things which
      happen from time to time. - Edward P. Tryon
    Your message has been successfully submitted and would be delivered to recipients shortly.