PHP Security Collection
By John Coggeshall, Clancy Malcolm
Publisher: O'Reilly Media
Released: May 2004

The nice thing about the Internet is that anyone can access your web site. This can also be a drawback. PHP (and the other components of LAMP) make it very easy to produce a functional, useful website.

Of course, "easy" and "secure" are orthogonal concepts.

If you care about your data or your customers' data, you need to think about security. How can you keep out the bad guys? How can you prevent and, if needed, recover from errors? How will you know if things are working correctly or if someone is snooping around in the dark corners of your site?

This collection of articles from the PHP Dev Center on ONLamp.com answer these questions and more. John Coggeshall, the PHP Foundations columnist, explores the techniques crackers might use to exploit your site and demonstrates not only how to thwart those attacks but how to think to preventatively. Clancy Malcolm, an experienced open source consultant and developer, presents ten practical techniques to make sure your code and sites are secure.

Security is a process and, unfortunately, often a race through dark places. You don't know who's out there and what they know. You can, however, be confident that you've minimized your risks. This collection will help.

Product Details
Recommended for You
Customer Reviews

REVIEW SNAPSHOT®

by PowerReviews
oreillyPHP Security Collection
 
3.5

(based on 2 reviews)

Ratings Distribution

  • 5 Stars

     

    (0)

  • 4 Stars

     

    (1)

  • 3 Stars

     

    (1)

  • 2 Stars

     

    (0)

  • 1 Stars

     

    (0)

Reviewed by 2 customers

Sort by

Displaying reviews 1-2

Back to top

(1 of 1 customers found this review helpful)

 
3.0

Practical PHP Security

By Cousin Vinny

from Miami, FL

About Me Educator

Verified Reviewer

Pros

  • Concise
  • Easy to understand
  • Helpful examples

Cons

    Best Uses

    • Intermediate

    Comments about oreilly PHP Security Collection:

    It is a practical article covering the basics of PHP security. The content may be a bit stale.

    Basically, it has two checklists of ten items each, that a PHP Developer has to watch out for in terms of securing their web applications. It has examples and code that you can immediately put to use.

    It has three other short articles also. One is not about trusting data. Two, the dangers behind executing system calls. Three, using PHP's error reporting functions for the developer's advantage, and at the same time, preventing malicious use of such data.

    Overall, I found it useful and practical collection of articles focusing on PHP security.

    (2 of 2 customers found this review helpful)

     
    4.0

    PHP Security Collection

    By Frederick J Eccher Jr

    from Undisclosed

    Comments about oreilly PHP Security Collection:

    PHP Security Collection

    By John Coggeshall, Clancy Malcolm

    PDF Price: $5.95 USD First Edition: April 2004

    Format: PDF ISBN: 0-596-00741-8

    Pages: 25

    Description: This collection of articles from the PHP Dev Center on ONLamp.com examines security issues with PHP. John Coggeshall, the PHP Foundations columnist, explores the techniques crackers might use to exploit your site and demonstrates not only how to thwart those attacks but how to think to preventatively. Clancy Malcolm, an experienced open source consultant and developer, presents ten practical techniques to make sure your code and sites are secure.

    Everything is true in the description above. The PHP Security Collection is one of many keys to PHP Security. It is a good way to improve security experience of beginners to experts. Even experts should consider the price a steal if their security collection is to be thorough.

    A number of the learning issues are explained in a series of good examples. I think it is important to develop code in general using the same thought processes the authors' use.

    My experience agreed with almost everything written. I am a member of a user group with a specialty in security. We work with concepts and code like this every month. Most members are developers and deal with this every working day. I appreciate the short and sweet code and explanation[s].

    The topics start with an introduction on "Programming in Public". This quote: "Of course, "easy" and "secure" are orthogonal concepts." threw me right away. In linear algebra, my teacher made certain I knew what orthogonal meant. I did a web search and the definition remains the same: Independent in the sense of right angles. Here is one slightly different definition related to language and not math: Definition of orthogonality, [1] Informally, a collection of language features is orthogonal if they are independent; [2] That is, features are orthogonal if no feature is a consequence of any one of the other features; [3] Formally, a collection of features is orthogonal if for every subset, there is a language that possesses that subset of features and no features in the complementary subset.

    Source: 1998 Edward F. Gehringer CSC 517/ECE 517 Lecture Notes, Spring 1998

    Here is another slightly different definition:

    "the property of an experimental design that ensures [one] factor can be evaluated without confounding the effects on the response."

    Source: http://www.gpsqtc.com/library/mnopq.shtml

    Ease and secure are not orthogonal concepts. They are not independent in the sense of secure web sites or applications. Let's skip this one and move on to: "Security is a process and, unfortunately, a race through dark places." This is not exactly right on either. It is a process. It should not be a race. It should not take the developer through dark places. All right, all right, probably just poetic license trying to see how many people actually read introductions.

    The 5 chapters are written clearly. I like that about this book. No long winded explanations of useless trivia here. Get right to the point and stay there. The code is clear and helps understanding the issues presented by the authors. Some of the points needed more code. In "What to look for" on page 4 of 25, 'file' has enough of a coded explanation but 'readfile', 'fopen', 'include', and 'require' do not. Having a little more code would help beginners who might not know where to go to figure out what to do when what to look for returns a positive result.

    The topics are useful and helpful in just about any language. They are specific to PHP in a few instances, but most are general issues that need to be taken care of with any programming language. On page 11, "Beyond the Code _ A strong security design" might have been a little too brief. Three bullet points will not scratch the surface of a strong security design. I would have dropped that section entirely.

    When I read the first sentence in PHP Security, Part 1, I knew something was up. I searched for the article and found this: "In my last two columns (Common Style Mistakes, part one and Common Style Mistakes, part two), I discussed some common bad practices to avoid when writing PHP scripts which can make them more difficult to read and more prone to bugs." So in the third chapter of the book, a generic reference to what looks like the previous two chapters is really to two other articles. HMMMMMMMMM.

    I thought the discriminations made about the PHP error model, messages, and caveats were very important. Custom error handlers are an interesting set of issues with a bit of good code for explanation. This is valuable knowledge worth your time to read and digest as thoroughly as possible.

    The book is in .PDF format. I like that feature. You can buy this online through the O'Reilly shopping cart and then download it.

    The 25+ pages were easy to read and understand. I read it in one evening. There were a few typos and grammar errors, but not very many. The book is for someone who is a little more than a beginner. More experienced people should look it over to make sure they are up to speed with these authors.

    I would give this book 4 out of 5 stars. I recommend this book for everyone starting with a journeyman [more than a complete beginner] and moving through the rest of the ranks of experience. Since it is such a quick and easy read, you might be missing something unless you check your knowledge against these experts.

    Frederick J Eccher Jr November 25, 2006

    MBA

    M.S. Management of Information Systems

    A.B. Psychology

    B.A. Biology

    President, Board of Directors, Saint Louis Visual Basic Users Group

    Displaying reviews 1-2

    Back to top

     
    Buy 2 Get 1 Free Free Shipping Guarantee
    Buying Options
    Immediate Access - Go Digital what's this?
    Ebook: $5.95
    Formats:  PDF