Essential PHP Security

A Guide to Building Secure Web Applications

Larger Cover

A Guide to Building Secure Web Applications

By Chris Shiflett

Publisher: O'Reilly Media

Released: October 2005

Pages: 128

Being highly flexible in building dynamic, database-driven web applications makes the PHP programming language one of the most popular web development tools in use today. It also works beautifully with other open source tools, such as the MySQL database and the Apache web server. However, as more web sites are developed in PHP, they become targets for malicious attackers, and developers need to prepare for the attacks.

Security is an issue that demands attention, given the growing frequency of attacks on web sites. Essential PHP Security explains the most common types of attacks and how to write code that isn't susceptible to them. By examining specific attacks and the techniques used to protect against them, you will have a deeper understanding and appreciation of the safeguards you are about to learn in this book.

In the much-needed (and highly-requested) Essential PHP Security, each chapter covers an aspect of a web application (such as form processing, database programming, session management, and authentication). Chapters describe potential attacks with examples and then explain techniques to help you prevent those attacks.

Topics covered include:

Preventing cross-site scripting (XSS) vulnerabilities
Protecting against SQL injection attacks
Complicating session hijacking attempts

You are in good hands with author Chris Shiflett, an internationally-recognized expert in the field of PHP security. Shiflett is also the founder and President of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world.

Chapter 1 Introduction
1. PHP Features
2. Principles
3. Practices
Chapter 2 Forms and URLs
1. Forms and Data
2. Semantic URL Attacks
3. File Upload Attacks
4. Cross-Site Scripting
5. Cross-Site Request Forgeries
6. Spoofed Form Submissions
7. Spoofed HTTP Requests
Chapter 3 Databases and SQL
1. Exposed Access Credentials
2. SQL Injection
3. Exposed Data
Chapter 4 Sessions and Cookies
1. Cookie Theft
2. Exposed Session Data
3. Session Fixation
4. Session Hijacking
Chapter 5 Includes
1. Exposed Source Code
2. Backdoor URLs
3. Filename Manipulation
4. Code Injection
Chapter 6 Files and Commands
1. Traversing the Filesystem
2. Remote File Risks
3. Command Injection
Chapter 7 Authentication and Authorization
1. Brute Force Attacks
2. Password Sniffing
3. Replay Attacks
4. Persistent Logins
Chapter 8 Shared Hosting
1. Exposed Source Code
2. Exposed Session Data
3. Session Injection
4. Filesystem Browsing
5. Safe Mode

Appendix A Configuration Directives
1. allow_url_fopen
2. disable_functions
3. display_errors
4. enable_dl
5. error_reporting
6. file_uploads
7. log_errors
8. magic_quotes_gpc
9. memory_limit
10. open_basedir
11. register_globals
12. safe_mode
Appendix B Functions
1. eval()
2. exec()
3. file()
4. file_get_contents()
5. fopen()
6. include
7. passthru()
8. phpinfo()
9. popen()
10. preg_replace()
11. proc_open()
12. readfile()
13. require
14. shell_exec()
15. system()
Appendix C Cryptography
1. Storing Passwords
2. Using mcrypt
3. Storing Credit Card Numbers
4. Encrypting Session Data
About the Author
Colophon

Title:

Essential PHP Security

By:

Chris Shiflett

Publisher:

O'Reilly Media

Formats:

Print
Ebook
Safari Books Online

Print:

October 2005

Ebook:

February 2009

Pages:

128

Print ISBN:

978-0-596-00656-3

| ISBN 10:

0-596-00656-X

Ebook ISBN:

978-0-596-10461-0

| ISBN 10:

0-596-10461-8

Colophon

About the AuthorChris Shiflett is an internationally recognized expert in the field of PHP security and the founder and president of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world.Chris is a leader in the PHP community. He is the founder of the PHP Security Consortium, the founder of PHPCommunity.org, a member of the Zend PHP Advisory Board, and an author of the Zend PHP Certification.A prolific writer, Chris has regular columns in both PHP Magazine and php|architect and is the author of HTTP Developer's Handbook (Sams).

ColophonOur look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects.

The animal on the cover of Essential PHP Security is a monitor lizard (Varanus). It is a reptile found in the tropical and arid settings of Africa, Australia, Southern Asia, and the Malay Archipelago. There are approximately 50 species of monitor lizards, which are believed to have evolved from a common ancestor 45 million years ago. Depending on the species, monitors vary in coloring, markings, size, and weight. The largest monitor lizard is the Komodo dragon, which can weigh as much as 364 pounds and be up to 9 feet long. The smallest, the short-tailed monitor, is only around 3 inches long. Monitors are characterized by a flat head with a bony skull, which protects their brains from damage when they swallow their prey whole. Other characteristics include long, sharp claws and knife-like teeth that are curved inward.

Their diet consists of such fare as snails, beetles, grasshoppers, scorpions, crabs, fish, crocodile and bird eggs, and small rodents. Larger monitors will dine on carrion.

The monitor lizard holds its head up, giving it the appearance of being alert. When threatened, it intimidates its predators by inflating its throat and hissing loudly, while contracting its rib cage to make its body appear larger. Typically, a monitor's first reaction is to flee from danger, but it can become an aggressive opponent if cornered. Its strong jaws enable it to inflict serious wounds to enemies and prey alike. A monitor will also rear back on its hind legs and use its tail to deliver a stinging blow when attacking. Unlike some of its reptile cousins, a monitor cannot regenerate a new tail if it loses the one it was born with.

During breeding, males will become aggressive and fight for females. The female monitor typically lays 7 to 35 leathery eggs and, depending on the species, will make a nest in holes on riverbanks or in trees. Monitors that lay eggs on land cover their eggs with rotting vegetation to keep them warm. Eggs incubate for 8 to 10 weeks; the young cut their way out of the shells using a sharp egg tooth.

To date, it is legal to own monitor lizards as pets in the United States without a permit. However, the American Federation of Herpetoculturists (AFH) provides guidelines for potential owners that include keeping the lizards in escape-proof cages with good ventilation and handling larger species only when in the presence of another person. When handled from a young age by humans, monitors can become quite tame and adapt well to captivity. Potential owners should not be squeamish about feeding them a steady diet of live rodents.

Marlowe Shaeffer was the production editor for Essential PHP Security, and Norma Emory was the copyeditor. Jansen Fernald proofread the book. Jamie Peppard and Claire Cloutier provided quality control. Angela Howard wrote the index.

Karen Montgomery designed the cover of this book, based on a series design by Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Karen Montgomery produced the cover layout with Adobe InDesign CS using Adobe's ITC Garamond font.

David Futato designed the interior layout. This book was converted by Andrew Savikas to FrameMaker 5.5.6 with a format conversion tool created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano, Jessamyn Read, and Lesley Borash using Macromedia FreeHand MX and Adobe Photoshop CS. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Jansen Fernald.The production editors for Book Title, eMatter Edition were Ellie Cutler and Jeff Liggett. Linda Walsh was the product manager. Kathleen Wilson provided design support. Lenny Muellner, Mike Sierra, Erik Ray, and Benn Salter provided technical support. This eMatter Edition was produced with FrameMaker 5.5.6.

Description

Table of Contents

Product Details

About the Author

Colophon

Recommended for You

Recently Viewed

Oracle PL/SQL Programming: Guide to Oracle8i Featu

By Steven Feuerstein

October 1999

Programming Collective Intelligence

Building Smart Web 2.0 Applications

By Toby Segaran

August 2007

Ebook: $31.99

Print & Ebook: $43.99

Print: $39.99

DNS and BIND, 4th Edition

By Paul Albitz, Cricket Liu

April 2001

Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews

oreilly Essential PHP Security

4.3

(based on 3 reviews)

REVIEWS

Reviewed by 3 customers

Sort by

Displaying reviews 1-3

7/26/2008

(2 of 2 customers found this review helpful)

4.0

Chilling book

By Anonymous

from Undisclosed

Comments about oreilly Essential PHP Security:

I'm no newbie to computer security, but sometimes I feel like reading a good book about security instead of surfing the web for bits and pieces of security-related articles. And this had good reviews, so...

The book started off with the basic stuff: Don't trust input, always escape output, etc. Very basic. In fact I wondered if this book was a little too basic.

And then, with each progressive chapter, my attitude slowly changed from "yeah, yeah", to "hmmmm", to "oops".

It's not only because the author mercilessly brings up exploit after exploit, saying "did you think about this? and how about this, did you think about that?"; it's also because he explains why it's important, how to exploit it, and what people can do to your site if you didn't think about that.

Now, I'll go back to my PHP code and rewrite, oh, one or two classes. Or more.

10/28/2007

(1 of 1 customers found this review helpful)

4.0

Very good introduction!

By Leam Hall

from Undisclosed

Comments about oreilly Essential PHP Security:

While smaller than many O'Reilly titles the author wastes no time in helping the new PHP programmer write more secure code. Once you get the best practices in the first chapter down, the other seven chapters each deal with a specific class of vulnerability. You can read chapters 2-8 in any order, and you'll spend some time with the appendices too.

I confess, this book made me want to go back over my code and refactor it from the ground up! Chris gives really easy ways to prevent the more common attacks any internet site faces. A day to a day and a half to read this book and then build your habit library will take you far in building more secure PHP code.

6/27/2006

(3 of 3 customers found this review helpful)

5.0

Change Your Outlook on Security

By Evan Broder

from Undisclosed

Comments about oreilly Essential PHP Security:

Chris Shiflett recently visited our local PHP Users Group, and after the meeting, I was inspired to buy his book in preparation for a big PHP project.

Without a doubt this has changed how I view security. Before, I was aware of potential holes; I knew what SQL injection was. After reading this book, though, I feel like I have a true grasp on what I have to do to make my code secure.

In fact, I even see the difference when I look at my old code. I see potential problems.

After reading this book, some might say that Chris teaches you to be paranoid, but I would argue that he teaches you to be thorough.

I highly recommend this book for anyone with a little PHP experience.

Displaying reviews 1-3

Save a Tree - Go Digital what is this?

Ebook: $23.99

Formats: DAISY, ePub, Mobi, PDF

Print & Ebook: $32.95

Print: $29.95

Safari Books Online - Read now >

Chapter 1 Introduction

PHP Features

Principles

Practices

Chapter 2 Forms and URLs

Forms and Data

Semantic URL Attacks

File Upload Attacks

Cross-Site Scripting

Cross-Site Request Forgeries

Spoofed Form Submissions

Spoofed HTTP Requests

Chapter 3 Databases and SQL

Exposed Access Credentials

SQL Injection

Exposed Data

Chapter 4 Sessions and Cookies

Cookie Theft

Exposed Session Data

Session Fixation

Session Hijacking

Chapter 5 Includes

Exposed Source Code

Backdoor URLs

Filename Manipulation

Code Injection

Chapter 6 Files and Commands

Traversing the Filesystem

Remote File Risks

Command Injection

Chapter 7 Authentication and Authorization

Brute Force Attacks

Password Sniffing

Replay Attacks

Persistent Logins

Chapter 8 Shared Hosting

Exposed Source Code

Exposed Session Data

Session Injection

Filesystem Browsing

Safe Mode

Appendix A Configuration Directives

allow_url_fopen

disable_functions

display_errors

enable_dl

error_reporting

file_uploads

log_errors

magic_quotes_gpc

memory_limit

open_basedir

register_globals

safe_mode

Appendix B Functions

eval()

exec()

file()

file_get_contents()

fopen()

include

passthru()

phpinfo()

popen()

preg_replace()

proc_open()

readfile()

require

shell_exec()

system()

Appendix C Cryptography

Storing Passwords

Using mcrypt

Storing Credit Card Numbers

Encrypting Session Data

About the Author

Colophon

Chris Shiflett

About O'Reilly

Community