I just finished reading Pro PHP Security by Chris Snyder and Michael Southwell. I’m always looking for ways to improve my programming skills and security is an area I try to focus on. Secure web applications are becoming more important every day as more and more of our lives are placed online. With that in mind, I purchased this book to increase my PHP skills.
Overall the book was quite good. The book is broken into four parts. Part one is a general overview of security and it’s importance. Nothing really new here, but a good introduction nonetheless.
Part two delves into server-side security, outside of the realm of PHP. This includes shared hosts, firewalls, software installation, and more. None of this is really PHP specific per se, but still important topics. There is a decent introduction to encryption and it’s importance in security. There are a few PHP examples throughout these chapters that show how to handle SSH, SSL, hashing, and general encryption using the mcrypt() function. Part two concludes with an overview of authentication, permissions, and restrictions. There is a decent example of a single sign-on system, as well as an overview of PHP safe mode.
Part three covers more in-depth PHP programming practices designed to prevent many of the more common security problems. This section starts with a chapter on input validation, a very important topic indeed. The authors explain what input validation is and how to accomplish it. There are several examples that show how to validate the data you need and ensure that it’s safe to use throughout your program. Subsequent chapters cover SQL Injection, Cross-Site Scripting, Remote Execution, and Session Hijacking. Throughout each chapter are dozens of examples showing how to handle each situation.
Finally, part four covers user interaction with your programs. Since the majority of the web applications you will write are intended to interact with users, this is pretty important. The authors cover ways to ensure that your users are, in fact, human users and not scripts. Identity verification is covered with methods ranging from simple email response to SMS messages. And once you’ve determined that your users are real, you’ll need to provide them with a list of actions they can perform. The authors show how roles-based authorization can help with this and allow for a scaleable system that can be extended in the future. In the next few chapters, the authors cover data loss, safely executing system commands, and handling RPC calls. And finally, the authors explain the value of Open Source software and the advantages of peer review.
Â
Overall this is an excellent book and I highly recommend it. While this book is geared towards PHP programming, it does cover a wide variety of topics that are not strictly PHP specific. While I was aware of many of the topics covered within this book, I did learn a variety of new tricks for dealing with security threats. If you’re interested in learning more about security and how to secure your programs, I definitely recommend reading this book.