Slashdot Mirror
Pro PHP Security
Michael J. Ross writes "The global accessibility of Web sites is a double-edged sword: At the same time that your online e-commerce site is open for business to anyone with an Internet connection, it is also open to malicious attack. Web sites based upon the popular language PHP, are no exception. Thus, it is both astonishing and worrisome that there are currently so few books devoted to PHP security — particularly ones that go beyond the handful of typical security countermeasures discussed in articles. Fortunately, Pro PHP Security, written by Chris Snyder and Michael Southwell, is intended to fill this critical need." Read the rest of Michael's review.
Pro PHP Security
author
Chris Snyder and Michael Southwell
pages
528
publisher
Apress
rating
9
reviewer
Michael J. Ross
ISBN
1590595084
summary
A comprehensive guide to developing secure PHP-based Web sites.
Pro PHP Security spans 528 pages, consisting of 24 chapters organized into four major parts. The first part, comprising only one chapter, explains the nature and significance of computer security, and reasons as to why absolute security is an unattainable goal. Nonetheless, it is worthwhile to take all appropriate and reasonable security measures, and the authors provide a brief overview of the different types of attacks to which Web applications are vulnerable.
On their Web site, Apress has a page devoted to the book, where they offer the book's source code (in a Zip archive file), the table of contents, corrections to the book (i.e., errata), and a sample chapter (Chapter 12 - Preventing SQL Injection) in PDF format. In addition, there is a link for any reader who would like to purchase this title as an e-book.
One of the most laudable aspects of Pro PHP Security, is that the authors — both experienced software and Web site developers — go far beyond the standard PHP security advice of validating and escaping user input, etc. Those topics are covered in depth, but they are provided in the context of thorough discussions as to how to set up a secure environment in which to use those techniques. In addition, the authors present best practices that have evolved over time, as Web masters and system administrators have learned — often the hard way — the general types of attacks to which their Web sites and computer networks have been subjected.
In fact, Snyder and Southwell hold off on presenting the aforesaid specific PHP security techniques, until the third part of the book. Prior to that, they explain the characteristics of a secure online computing environment, such as using encryption, securing network connections via SSL and SSH, controlling access via authentication and permissions, and other important topics. Their coverage of the subject matter is complete, without being overwhelming. For instance, the material on encryption is helpfully divided into two separate chapters — devoted to theory and practice, respectively. Consequently, a PHP application developer or system administrator can immediately dive into the authors' recommended practices for encoding sensitive data, without getting bogged down in the theoretical underpinnings, if the reader is in a hurry to implement encryption on their own systems, or simply has no interest in the theory behind the methods.
As noted earlier, Part 3 of this monograph explains all of the well-known techniques that crackers use for attacking PHP-based Web sites, as well as the countermeasures that should be adopted by the developer or maintainer of the site. First up is validation of user input, which — though being essential to basic security — is still neglected on far too many Web sites. The attention to detail seen in this discussion is also reflected in the subsequent chapters, which cover SQL injection, cross-site scripting, remote execution, temporary files, and session hijacking. For each topic, the authors explain how the typical attack is attempted, and what needs to be done to prevent such attacks.
The fourth and last major part of the book covers vitally important topics that are usually glossed over in most PHP security books, or neglected altogether. Snyder and Southwell explain methods of limiting access to your Web site to humans (thus minimizing attacks that employ scripts), verifying the identities of those users, authorizing what those users can do on your system, and tracking their actions once they have logged in. The authors also explain how to reduce the chances of data loss, and how to execute system commands and make remote procedure calls without exposing your site to vulnerabilities. The last chapter covers the benefits to be gained from opening up your site and its source code to a review by your technical peers.
This book has much to recommend it: The discussions of security issues are more complete and thorough than in any other book that I have seen. The information chosen by the authors is detailed enough to be understandable and usable, but not so excessive as to prove daunting or discouraging to the reader who needs answers to their security questions, and does not have the time or inclination to slog through academic or pointless discussion. The information is well-organized, and presented in context, so the reader is not simply given a laundry list of security techniques, but instead better understands the rationale behind them. Lastly, because no technical topic can be covered in full in a single book, the authors provide a generous number of references to outside resources.
The content of this book appears to have only one noticeable weakness, and that is the poor quality of the comments in the sample source code. Not only are they few in number and lacking in detail, but they are written in all lowercase letters, with little to no punctuation. This coding style results in the comments visually blending in with the code itself, and makes reading both to be more difficult than is justifiable.
The physical book itself also has only one weakness, and that may only apply to a portion of the copies produced and distributed by the publisher. Specifically, the bottom and side edges of the book are cut cleanly, while the top edge is quite rough. As I was unable to find any mention within the book as to a possible reason or advantage for having the rough edging on top of the pages, I can only conclude that it was not intended on the part of Apress, and represents an error in production. I hope that the copy that I received — kindly given to me by the publisher — is not representative of all the copies produced and sold.
In spite of these minor complaints, I was quite pleased with this book. Pro PHP Security is arguably the most comprehensive PHP security book available, and is highly recommended to any developer or administrator of a PHP-based Web site.
Michael J. Ross is a freelance writer, computer consultant, and the editor of the free newsletter of PristinePlanet.com."
You can purchase Pro PHP Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Pro PHP Security spans 528 pages, consisting of 24 chapters organized into four major parts. The first part, comprising only one chapter, explains the nature and significance of computer security, and reasons as to why absolute security is an unattainable goal. Nonetheless, it is worthwhile to take all appropriate and reasonable security measures, and the authors provide a brief overview of the different types of attacks to which Web applications are vulnerable.
On their Web site, Apress has a page devoted to the book, where they offer the book's source code (in a Zip archive file), the table of contents, corrections to the book (i.e., errata), and a sample chapter (Chapter 12 - Preventing SQL Injection) in PDF format. In addition, there is a link for any reader who would like to purchase this title as an e-book.
One of the most laudable aspects of Pro PHP Security, is that the authors — both experienced software and Web site developers — go far beyond the standard PHP security advice of validating and escaping user input, etc. Those topics are covered in depth, but they are provided in the context of thorough discussions as to how to set up a secure environment in which to use those techniques. In addition, the authors present best practices that have evolved over time, as Web masters and system administrators have learned — often the hard way — the general types of attacks to which their Web sites and computer networks have been subjected.
In fact, Snyder and Southwell hold off on presenting the aforesaid specific PHP security techniques, until the third part of the book. Prior to that, they explain the characteristics of a secure online computing environment, such as using encryption, securing network connections via SSL and SSH, controlling access via authentication and permissions, and other important topics. Their coverage of the subject matter is complete, without being overwhelming. For instance, the material on encryption is helpfully divided into two separate chapters — devoted to theory and practice, respectively. Consequently, a PHP application developer or system administrator can immediately dive into the authors' recommended practices for encoding sensitive data, without getting bogged down in the theoretical underpinnings, if the reader is in a hurry to implement encryption on their own systems, or simply has no interest in the theory behind the methods.
As noted earlier, Part 3 of this monograph explains all of the well-known techniques that crackers use for attacking PHP-based Web sites, as well as the countermeasures that should be adopted by the developer or maintainer of the site. First up is validation of user input, which — though being essential to basic security — is still neglected on far too many Web sites. The attention to detail seen in this discussion is also reflected in the subsequent chapters, which cover SQL injection, cross-site scripting, remote execution, temporary files, and session hijacking. For each topic, the authors explain how the typical attack is attempted, and what needs to be done to prevent such attacks.
The fourth and last major part of the book covers vitally important topics that are usually glossed over in most PHP security books, or neglected altogether. Snyder and Southwell explain methods of limiting access to your Web site to humans (thus minimizing attacks that employ scripts), verifying the identities of those users, authorizing what those users can do on your system, and tracking their actions once they have logged in. The authors also explain how to reduce the chances of data loss, and how to execute system commands and make remote procedure calls without exposing your site to vulnerabilities. The last chapter covers the benefits to be gained from opening up your site and its source code to a review by your technical peers.
This book has much to recommend it: The discussions of security issues are more complete and thorough than in any other book that I have seen. The information chosen by the authors is detailed enough to be understandable and usable, but not so excessive as to prove daunting or discouraging to the reader who needs answers to their security questions, and does not have the time or inclination to slog through academic or pointless discussion. The information is well-organized, and presented in context, so the reader is not simply given a laundry list of security techniques, but instead better understands the rationale behind them. Lastly, because no technical topic can be covered in full in a single book, the authors provide a generous number of references to outside resources.
The content of this book appears to have only one noticeable weakness, and that is the poor quality of the comments in the sample source code. Not only are they few in number and lacking in detail, but they are written in all lowercase letters, with little to no punctuation. This coding style results in the comments visually blending in with the code itself, and makes reading both to be more difficult than is justifiable.
The physical book itself also has only one weakness, and that may only apply to a portion of the copies produced and distributed by the publisher. Specifically, the bottom and side edges of the book are cut cleanly, while the top edge is quite rough. As I was unable to find any mention within the book as to a possible reason or advantage for having the rough edging on top of the pages, I can only conclude that it was not intended on the part of Apress, and represents an error in production. I hope that the copy that I received — kindly given to me by the publisher — is not representative of all the copies produced and sold.
In spite of these minor complaints, I was quite pleased with this book. Pro PHP Security is arguably the most comprehensive PHP security book available, and is highly recommended to any developer or administrator of a PHP-based Web site.
Michael J. Ross is a freelance writer, computer consultant, and the editor of the free newsletter of PristinePlanet.com."
You can purchase Pro PHP Security from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Here is an observation: With all the publicity Ruby on Rails and other frameworks like Zend Framework, Turbogears and the like are receiving these days--why are we not seeing an innumerable number of security trolls like Chris Shiflett on the *framework side of web development? My thoughts are that PHP users are told "you can too" when in many cases, with forums other resources like the ten gazillion books, they *can*, to an extent (but either with really bad help or books assuming the reader is not working on a *real* project).
Conversely, Rails, Turbogears and Symphony are, too, saying "you can too." Yet, where are the security trolls? It seems though that the *actual* users of the *frameworks, the ones using them for real-life projects are those who have struggled with PHP and (perl, python, etc...) CGI programming for so long and decided "fuck it." Things like database abstraction (and therefore quoting, etc), single-entry-point, and template-safety are, in the most part, taken care of for you.
P.S. XSS is not a PHP problem!
Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
The physical book itself also has only one weakness...Specifically, the bottom and side edges of the book are cut cleanly, while the top edge is quite rough.
This is because someone tried to do a physical attack on the top edge of the PHP Security book.
However, the Page's Horizontal Periphery security kept it from getting through.
He who knows best knows how little he knows. - Thomas Jefferson
If you're getting the bulk of your programming experience from PHP, you have trouble ahead. :-) I realize that sounds like snarky crap, and it is to some extent, but it pays to sit down with a good book about the fundamentals of computing and programming design. Something like How to Design Programs (google it -- available free online), which makes use of Scheme, will make you ten times as productive when/if you return to PHP.
PHP as a language is outclassed by Ruby and Python, yet they aren't beating it back in the web arena. Why?
Ignoring support by ISP's there is are two main reasons I think from the developers perspective,
1) PHP's online documentation of both the core language it's standard libraries is comprehensive. I'm not even aware of where I could find documentation on Python libraries to communicate with MySQL, with PHP it's all shipped in the package and all documented in one place - php.net. One place I might add where users/developers can and do comment and actually make the documentation better and clearer (although some bad ideas get into the mix too, they are usually corrected by following comments). All the Python and Ruby documentation seems to be humped into two ends of the spectrum, 101 and web framework. Atleast this is the impression I get as someone once interested in Python for web development, after being spoilt for documentation at PHP it's just frustrating.
2) PHP allows you to inline your code into your documents (as does ASP) providing a, nasty, dangerous yet incredibly easy route for people from a web design background to get into web development without any programming knowledge. As these users develop, some will become well seasoned and actually start to seperate code from design. The rate at which people are being introduced to server side scripting and indeed PHP is, in my opinion, probably increasing and there is always, for that reason, alot of unsavvy PHP users.
It's also worth mentioning that to a certain extent, Ruby on Rails gems (which I haven't used personally) and Perl's CPAN solve some of the shortfalls, but Python seens way behind.
I've owned this book for a few months now.
It's a good book to get started with PHP Security ideas. It has a lot of theory and explains a lot of issues. However, I don't like the examples or how the book uses the examples.
Often times I would have like to see a larger scale project outline shown, instead of just the theory. But, it was worth the purchase.
"The past was erased, the erasure was forgotten, the lie became truth." ~1984 George Orwell
When will people learn to check the PEAR before asking for PHP functionality?
http://pear.php.net/package/LiveUser supports users from multiple sources (at the same time), group permissions and per-user-permissions.
I noticed that, despite your diatribe, you never actually said that the grandparent was wrong.
The original poster has a point. I can think of a number of language features that were just plain bad ideas.
1. Providing an inconsistant programming environment, based on INI settings. This exacerbates the next two problems.
2. Having register globals turned on by default. First "fixed" in php.ini-recommended for PHP 4. Later fixed in php.ini-dist for PHP 4.2. Scheduled for removal from the language in PHP 6.
3. Having magic quotes GPC turned on by default. First "fixed" in php.ini-recommended for PHP 4. Scheduled for removal from the language in PHP 6.
4. Lack of a good database abstraction layer shipped with PHP. Although dbx and Pear DB both ship with PHP, neither is that commonly used. dbx due to being disabled by default; Pear DB due to its slowness. This is fixed in PHP 5.1 with the addition of PDO. Unfortunately, this is a case of too little, too late, as anyone who writes things for multiple DBs already uses ADODB or hand-rolls their own abstraction layer (coughphpBBcough).
Rather than waiting for a perl programmer to come along and post this url, I will: PHP in contrast to Perl. I know very well that this is slanted against PHP, but that doesn't make a lot of the comments in it any less true. Particularly since PHP 1 was written in Perl 5.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011