Being highly flexible in building dynamic, database-driven web applications makes the PHP programming language one of the most popular web development tools in use today. It also works beautifully with other open source tools, such as the MySQL database and the Apache web server. However, as more web sites are developed in PHP, they become targets for malicious attackers, and developers need to prepare for the attacks.

Security is an issue that demands attention, given the growing frequency of attacks on web sites. Essential PHP Security explains the most common types of attacks and how to write code that isn’t susceptible to them. By examining specific attacks and the techniques used to protect against them, you will have a deeper understanding and appreciation of the safeguards you are about to learn in this book.

In the much-needed (and highly-requested) Essential PHP Security, each chapter covers an aspect of a web application (such as form processing, database programming, session management, and authentication). Chapters describe potential attacks with examples and then explain techniques to help you prevent those attacks.

Topics covered include:

• Preventing cross-site scripting (XSS) vulnerabilities
• Protecting against SQL injection attacks
• Complicating session hijacking attempts

You are in good hands with author Chris Shiflett, an internationally-recognized expert in the field of PHP security. Shiflett is also the founder and President of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world.

Opened my eyes!
While smaller than many O’Reilly titles the author wastes no time in helping the new PHP programmer write more secure code. Once you get the best practices in the first chapter down, the other seven chapters each deal with a specific class of vulnerability. You can read chapters 2-8 in any order, and you’ll also spend some time with the appendices.

I confess, this book made me want to go back over my code and refactor it from the ground up! Chris gives really easy ways to prevent the more common attacks. A day to a day and a half to read this book and then build your habit library will take you far in building more secure PHP code.

raises a lot of interesting questions, but not enough answers.
When I first got this book, it made me think about a few security holes that probably existed in my sites, and go back and fix some things. I liked the fact that it was quick and to the point, so I could hit all of the topics in a glance.

However, as I’ve progressed in my own development projects, I’ve come across a lot of fairly basic issues that are simply brushed by in this book. For example, the entire topic of encryption (hmm, maybe important in a security book) is relegated to Appendix C, which is 6 pages long. The discussion of mcrypt (the actual encryption functions) is 2 pages long, and is just a copy of an encryption class, without any explanation at all of modes, initialization vectors, etc (i.e. the things you need to understand to actually understand encryption). He even gives a link to Wikipedia at the beginning of the appendix (among other links) and tells us to read up there. Sorry Chris, but I dropped $30 on your book (along with a lot of other people) because I wanted YOU to explain it.

As another example, the book explains how to make sure you are dealing with an uploaded file rather than another file, but never addresses the problem of trying to determine if it is malicious before you work with it. I wrote Chris Shiflett an email on his personal website asking about this, but never received a response.

Overall, the authorship of this book seems somewhat lazy (is the topic of security really only worth 100 pages?), which is why I feel a little bit insulted and don’t have a problem giving this a low rating. I would give it 3 stars because much of the content raises interesting questions, but I am used to such better quality from O’Reilly that it heavily suffers by comparison with ANY of their other offerings.

Overpriced
Of the 103 pages in the book there are probably only 13 of unique information and 90 pages of saying the same exact thing over and over again. Worse yet, I found the author had already released the 13 pages of useful information online for free.

Definitely wish I had browsed this one in a store before I blew $30.

Alright - not very meaty though
Alright - not very meaty. Overall I’m glad I read it though, as I picked up some useful nuggets.

Alright - not very meaty though
Alright - not very meaty. Overall I’m glad I read it though, as I picked up some useful nuggets.

==========
Update 2006-12-30 - I’d like to bump this up to four stars. The book came in handy today - I used some code in it regarding session variables.

Alright - not very meaty though
Alright - not very meaty. Overall I’m glad I read it though, as I picked up some useful nuggets.

==========
Update 2006-12-30 - I’d like to bump this up to four stars. The book came in handy today - I used some code in it regarding session variables.

PHP Security is a HUGE topic
This book is essential for anyone starting out in PHP, but not only for them. It offers tips for almost any skill level, maybe you know some of the ways to keep your site secure but Chris really goes in depth on some of them.

The code snippets are short, simple, but convey the point exactly as intended... and I also like Chris’s method for validating tainted data, similar to a fisherman. If the fish is bad throw it back and the same goes for user input.

I still have this book for reference and have lent it to a few people which resulted in them picking their own copies... all around a great resource.

VERY VERY HIGHLY RECOMMENDED!!
Are you a developer who is writing insecure PHP code? If you are, then this book is for you! Author Chris Shiflett, has done an outstanding job of writing a practical book that will help you improve your PHP application-level security.

Shiflett, begins by giving an overview of security principles and best practices. Then, the author covers form processing and attacks such as cross-site scripting and cross-site request forgeries. He continues by focusing on using databases and attacks such as SQL injection. Then, the author explains PHP’s session support and shows you how to protect your applications from attacks such as session fixation and session hijacking. Then, he covers the risks associated with the use of includes, such as backdoor URLs and code injection. Next, the author discusses attacks such as filesystem traversal and command injection. Then, he shows you how to create secure authentication and authorization mechanisms and how to protect your applications from things like brute force attacks and replay attacks. Finally, the author explains the inherent risks associated with a shared hosting environment.

This most excellent book brings long-needed security guidelines to PHP developers everywhere. More importantly, the content of this book will be an asset to your development teams.

Essential for the Beginner or Advanced PHP developer
As a very security conscious developer, I found this book to be a GREAT resource to my library. Though the book is short in length, it is very rich in content. Chris does a GREAT job of presenting the problem (citing specific examples of the exploits), showing the pitfalls, and then presenting the solutions.

He is very thorough in his descriptions, and his easy to understand writing and use of analogies made this a very simple concept to grasp. If you are a seasoned PHP developer, or just beginning programming PHP - his writing style helps you to understand the underlying attack, visuals to see it in action, and how to prevent being attacked - it is very simple, yet deep.

Reading this book has helped me to see where my applications may fall short, and what I can do to protect them. Especially in the realm of PHP developers, there are MANY Open Source options out there, and many of them lack the security that is mentioned in the chapters of this book. Don’t let yourself get caught!

I recommend this book, and performing an audit of your own work. Excellent book!

Not Bad
This handy book fecth most recent popular attacks, and roughly coveres most general attacking means and how to secure your website.I like author’s princle about how to filter tainted input and his code snippets are short and understandable.But this book comes with quite much minor errors; chapters seem little bit repetitive and redundant and most codes are not talked in depth.If you were a php newbie, and wish to know more php security related features or you want a short, handy cookbook which provides a quick reference, you should pick up this book.

Excellent PHP security overview
Provides a good practical overview of common website attacks and how to handle them. Each type of attack is explained before showing the defence. By understanding how the attacks work you are less likely to implement the defences incorrectly. This book helped me understand the important security issues when developing websites in php, however much of the information is applicable in any web development language.

The book is only around 100 pages, but if you consider the title of the book then this is fine. You won’t find information about securing a web server for example, but that is not what this book is for.

The only specific attack missing which I would like to have seen information about is email spamming through website forms. However the general principles described in the book will help prevent these attacks as well.

I highly recommend this book to any PHP developer who is looking for a concise guide on how to secure their websites.

Makes you think.
I found this book very helpful. The language is easy to understand and the examples are clear and concise. The mantra ’filter input, escape output’ is repeated throughout the book but is accompanied by examples of attacks and preventions. I found that repetition helpful. It is much easier to take the advice and apply it to my own needs than having a book with a finite list of applications and their possible holes.

Good overview of PHP security issues to date
This long awaited work from who many refer to as the guru of PHP security is finally out.

I must say though, when it arrived in the mail, I was a bit surprised by the package. Rather than the typical book box you get, it was in a padded envelope and upon opening the package I saw that the book was a mere 109 pages (with appendices starting on page 87).

As I began to read the book, I started to realize some of the reasons for the small size. Chris stays completely on topic with PHP security and doesn’t meander into subjects such as Linux server administration and security, which other (larger) texts do to quite a large extent. I acually went to another PHP security text I had recenty read, and if I took out the sysadmin sections, it left about the same amount of pages as Chris’s book. Also Chris’s approach to PHP security seems to be a very ’keep it simple one’. He doesn’t get into elaborate security frameworks and application layers. He simply defines a PHP security issue, and provides a strait forward and simple solution for the problem. I agree with this approach since over engineering a solution, breeds complexity and complexity can easily mask, you guessed it, "security issues".

I would say what I liked most about this book is that he brought to light the security concerns when running on a shared host. I think this topic if very often neglected on the majority of PHP security articles and texts even though many of us use shared hosting due to how cheep it is. Chris devotes an entire chapter to the situation and clearly explains the vast security risks that come with shared hosting and gives examples of how to mitigate the risks.

I would actually recommend this book to just about any PHP programmer for the simple fact that it is a great catalog of PHP security risks to date and offers simple solutions to counter those risks. Since it is a quick read it is an excellent way to quickly see if you have your bases covered when it come to security of your PHP app. Some of the examples are a bit brief, but the fact that you have read Chris’s book and been alerted to the security issue is the real value in the end. You can always go to http://phpsec.org/ or other sites for expanded examples.

"Knowing is half the battle"
GI Joe

Okay for Novices
As far as technical books go, I liked this one. It really does get right to the point, and doesn’t waste any time. But I do want to warn potential buyers that the book doesn’t contain anything new to those who’ve been around the block a couple times. I’d say this book would only be informative to novice PHP programmers.

I’ve been programming with PHP for a few years now, and even when I read a book aimed at novices I usually learn something, or I’m at least reminded of some issues that I hadn’t thought about in a while. I can’t say the same about this book. I read it front to back within an hour, and didn’t learn anything new, nor will it provide any kind of reference for future projects.

Overall I was disappointed, but that isn’t necessarily the author’s fault. I was just expecting something more in-depth.

Redundant and really basic tips
This 120 page book could be condensed into one chapter. Most of the examples are just applying the same filter and escape your data to different function.
This book should be read by new programmers. If you have been programming for any decent amount of time, you should already know everything in here.

Essential Security & Good Practices
This is the first technical book that I have read that doesn’t obscure the topic with trivial details or complicated sentence structures with phrasing that is hard to follow. The thing I like best about the book is that it introduces a technique in detail and uses it throughout the book. Because every chapter refers back to the original "filter input, escape output" theme coupled with defense in depth, it forces the user to concentrate on a single, simple method and apply it to many different situations.

The example code segments in the book illustrate specific points described in the copy very well. Keeping the code examples simple only strengthens its meaning since the reader is not forced to analyze the code. Additional comments in the examples may be helpful for inexperienced developers.

In addition providing insight on filtering input and escaping output, Chris also gives the reader insight to a very helpful way of dealing with the filtered/escaped data within the code. This method is illustrated in all the examples, and as the reader notices it used throught the book they can learn its usefulness by example.

Good overview of php security matters

You would think that with all of the books being published recently about PHP that everyone and his mother is writing PHP code. This may be true, but even if it is not, it is certain that many people and businesses are using PHP code, in concert with other applications like MySQL, to produce dynamic web sites. This is all well and good because PHP is a high-quality coding language especially well-suited to web applications. It is also open-source, meaning well-supported by a community of coders and developers and cost-free. The one problem is that, like all coding languages, poorly designed or written PHP applications can be security risks potentially allowing Internet miscreants to cause damage to web servers, hosts, and users. It appears to be the case that there are many, many instances of insecure PHP code in use, hence, the value in a targeted book on PHP security, like "Essential PHP Security", by Chris Shiflett.

The author is an internationally-known and accomplished expert on PHP security. He is the founder of the PHP Security Consortium, a group of volunteers who help educate the PHP community, and a well-known contributor to the PHP-general mail digest. The book is designed to provide security information and guidelines and explain the most common types of attacks and how to prevent or repel them.

"Essential PHP Security" is a slight volume of only 109 pages, including index. Shiflett wastes no time and immediately jumps into his topic, starting with his opinion on the use of the PHP concept of "register globals", a configuration setting which he recommends against using in favor of "superglobal arrays". He next turns to how to configure your web server setup to properly deal with error reporting, both for the developer’s use and to prevent providing clues to any interloper trying to illegally access your site.

The balance of Chapter 1 itemizes general principles of Internet security: Defense in Depth - redundantly using more than one technique to secure your site; Least Privileges - writing code to minimize access to the least needed for any particular user’s needs; Simple is Beautiful - the writing of clear, simple code, to make troubleshooting and auditing easier; and Minimize Exposure - taking steps to design and implement programs to eliminate or at least minimize display of sensitive data or code - don’t even store credit card information unless absolutely necessary, he suggests.

Next, comes "Best Practices" - balancing risk vs. usability, keeping track of data, filtering of all input, escaping output, and in all cases, distinguishing between filtered and tainted data. These principles and practices are illustrated with short code snippets comparing insecure vs. more secure code.

The next seven chapters deal with specific elements of a website, the types of attacks that can occur with each, and tips and suggestions on how to deal with these attacks. These elements include vulnerabilities in forms and URLs, databases and SQL, sessions and cookies, PHP "include" files, files and commands, authentication and authorization, and shared hosting.

The author credibly describes by examples the types of attacks against forms and URLs - cross-site scripting, cross site request forgeries, spoofing of forms, and insecure Raw HTTP requests. Authentication attacks include dictionary attacks, password sniffing, replay attacks, and cookie stealing. For each, he briefly describes how the attacks work, shows examples of insecure code, and provides examples of secure code.

For each of the elements dealt with, the author follows the same model: describe briefly the types of attacks against each element, show conventionally-used insecure code, and show how to eliminate the insecure parts of the code. Most of the security defenses entail filtering data from outside sources, especially form input, email, and XML documents from other web applications. Other defense techniques include using SSL for encrypted data transmissions, strengthening identification methods, hard-coding file paths, and using token techniques in addition to PHP encryption functions. Interestingly, Schiflett believes it is impossible to achieve a high level of security in a shared hosting situation. He provides suggestions on what security measures will help the most.

What is most useful about this book is the aggregation in one place of descriptions of all of these security attacks, and vulnerabilities in PHP code, along with suggestions on dealing with them. The organization of the material is good, however. I believe the author falls short in his code examples. There appears to be a disconnect between the descriptive text (which is clear enough) and the examples, which are not, at least to me, a novice in PHP. I could not readily follow the detailed code segments, although I could understand in principle what was going on.

Some of the code segments were barely explained and some were inadequately explained. The concepts of the attacking techniques were understandable, but the detailed implementations were not. There are a small handful of illustrations, but I found them too simplistic and inadequate. To be fair, this may be a failure of the reviewer. More experienced PHP folks may not complain about the presentations. For them, this book gives them what they need to know about handling the security aspects of their applications, but my guess is that it is the less accomplished coders who need the most help (although those same people are probably writing the types of applications and sites least likely to be targeted by miscreants.)

There are three short appendices presenting suggestions on how to configure a PHP installation to minimize weaknesses, suggestions about avoiding certain powerful PHP functions, especially system commands, to minimize risk, and a short segment on cryptography features in PHP.