Publisher: O’Reilly Books
Copyright: October 2005
ISBN: 0-596-00656-X
Pages: 124
Price: $29.95 US, $41.95 CA, £20.95 UK
Review: This long awaited work from who many refer to as the guru of PHP security is finally out.
I must say though, when it arrived in the mail, I was a bit surprised by the package. Rather than the typical book box you get, it was in a padded envelope and upon opening the package I saw that the book was a mere 109 pages (with appendices starting on page 87).
As I began to read the book, I started to realize some of the reasons for the small size. Chris stays completely on topic with PHP security and doesn’t meander into subjects such as Linux server administration and security, which other (larger) texts do to quite a large extent. I acually went to another PHP security text I had recenty read, and if I took out the sysadmin sections, it left about the same amount of pages as Chris’s book. Also Chris’s approach to PHP security seems to be a very ‘keep it simple one’. He doesn’t get into elaborate security frameworks and application layers. He simply defines a PHP security issue, and provides a strait forward and simple solution for the problem. I agree with this approach since over engineering a solution, breeds complexity and complexity can easily mask, you guessed it, “security issues”.
I would say what I liked most about this book is that he brought to light the security concerns when running on a shared host. I think this topic if very often neglected on the majority of PHP security articles and texts even though many of us use shared hosting due to how cheep it is. Chris devotes an entire chapter to the situation and clearly explains the vast security risks that come with shared hosting and gives examples of how to mitigate the risks.
I would actually recommend this book to just about any PHP programmer for the simple fact that it is a great catalog of PHP security risks to date and offers simple solutions to counter those risks. Since it is a quick read it is an excellent way to quickly see if you have your bases covered when it come to security of your PHP app. Some of the examples are a bit brief, but the fact that you have read Chris’s book and been alerted to the security issue is the real value in the end. You can always go to http://phpsec.org/ or other sites for expanded examples.
“Knowing is half the battle”
GI Joe
Table of contents:1. Introduction PHP Features Principles Practices
2. Forms and URLs Forms and Data Semantic URL Attacks
- File Upload Attacks
- Cross-Site Scripting
- Cross-Site Request Forgeries
- Spoofed Form Submissions
- Spoofed HTTP Requests
3. Databases and SQL
- Exposed Access Credentials
- SQL Injection
- Exposed Data
4. Sessions and Cookies
- Cookie Theft
- Exposed Session Data
- Session Fixation
- Session Hijacking
5. Includes
- Exposed Source Code
- Backdoor URLs
- Filename Manipulation
- Code Injection
6. Files and Commands
- Traversing the Filesystem
- Remote File Risks
- Command Injection
7. Authentication and Authorization
- Brute Force Attacks
- Password Sniffing
- Replay Attacks
- Persistent Logins
8. Shared Hosting
- Exposed Source Code
- Exposed Session Data
- Session Injection
- Filesystem Browsing
- Safe Mode
0 comments:
Post a Comment