Farnham, UK–With PHP’s transition from a set of tools for personal home page development to the world’s most popular web programming language, PHP developers have acquired some new concerns, such as performance, maintainability, scalability, reliability, and–perhaps most important–security. “Traditionally, security has been a topic of concern for network, database, and systems engineers,” says Chris Shiflett, author of the new book “Essential PHP Security” (O’Reilly). “Over time, there has been a shift in focus up the protocol stack, and web developers now find themselves primarily responsible for the security of critical applications.”
As Shiflett explains, unlike language features such as conditional expressions and looping constructs, security is abstract. He says that it is not so much a characteristic of a language as it is a characteristic of a developer: no language can prevent insecure code, although there are language features that can aid or hinder a security conscious developer. His book teaches developers how to write secure PHP code, however, the topics and techniques can easily apply to all web development technologies.
Andi Gutmans, PHP architect and co-founder of Zend Technologies, writes in his foreword to the book that security is crucial for PHP. “Recently, there have been numerous security alerts around PHP. But, in fact, the majority of them are not a result of flaws in PHP itself, but are due to improper and insecure uses of PHP by applications developers.” says Gutmans. He says that, unlike in the Java or .NET space, the PHP community releases dozens of PHP applications to the open source community, such as content management systems, e-commerce systems, and forums. When security bugs appear in those applications, they are often confused with the PHP technology itself, hurting the perception of PHP in the marketplace.
It’s no easy task to ensure that all PHP developers are up-to-speed with security practices, a task exacerbated by lack of materials dedicated to the subject and no simple rules for dos and don’ts. But there is hope, as Gutmans points out: “Chris Shiflett, the author of this book, has dedicated his career to improving PHP application level-security. With ‘Essential PHP Security’ Chris brings long-needed security guidelines to PHP developers everywhere.” This much needed, much requested book explains the most common types of attacks and how to write code that can withstand them. Each chapter in the book covers an aspect of web application (such as form processing, database programming, session management, and authentication). The chapters provide examples of potential attacks and then explain techniques to prevent those attacks.
Topics covered include:
-Preventing cross-site scripting (XSS) vulnerabilities
-Protecting against SQL injection attacks
-Complicating session hijacking attempts
Given the growing frequency of attacks on web sites, it’s more critical than ever to know how to write code that isn’t susceptible. This focused book offers developers a deeper understanding and appreciation of the safeguards they can put in place.
Chapter 4, “Sessions and Cookies,” is available online at:
For more information about the book, including table of contents, index, author bio, and samples, see:
For a cover graphic in JPEG format, go to:
Essential PHP Security
ISBN: 0-596-00656-X, 109 pages, $29.95, ?20.95