Preface
Whatâs Inside
The book is organized into chapters that address specific topics related to PHP development. Each chapter is further divided into sections that cover the most common attacks related to a particular topic, and you are shown both how the attacks are initiated and how to protect your applications from them.
- Chapter 1, Introduction
Gives an overview of security principles and best practices. This chapter provides the foundation for the rest of the book.
- Chapter 2, Forms and URLs
Covers form processing and attacks such as cross-site scripting and cross-site request forgeries.
- Chapter 3, Databases and SQL
Focuses on using databases and attacks such as SQL injection.
- Chapter 4, Sessions and Cookies
Explains PHPâs session support and shows you how to protect your applications from attacks such as session fixation and session hijacking.
- Chapter 5, Includes
Covers the risks associated with the use of includes, such as backdoor URLs and code injection.
- Chapter 6, Files and Commands
Discusses attacks such as filesystem traversal and command injection.
- Chapter 7, Authentication and Authorization
Helps you create secure authentication and authorization mechanisms and protect your applications from things like brute force attacks and replay attacks.
- Chapter 8, Shared Hosting
Explains the inherent risks associated with a shared hosting environment. You are shown how to avoid the exposure of your source code and session data, as well as how to protect your applications from attracks such as session injection.
- Appendix A, Configuration Directives
Provides a short and focused list of configuration directives that deserve particular attention.
- Appendix B, Functions
Offers a brief list of functions with which you should be concerned.
- Appendix C, Cryptography
Focuses on symmetric cryptography and shows you how to safely store passwords and encrypt data in a database or session data store.
Style Conventions
Items appearing in the book are sometimes given a special appearance to set them apart from the regular text. Hereâs how they look:
- Italic
Used for citations to books and articles, commands, email addresses, URIs, filenames, emphasized text, and first references to terms.
-
Constant width
Used for literals, constant values, code listings, and XML markup.
-
Constant width italic
Used for replaceable parameter and variable names.
-
Constant width bold
Used to highlight the portion of a code listing being discussed.
Comments and Questions
We have tested and verified the information in this book to the best of our ability, but you may find that features have changed (or even that we have made mistakes!). Please let us know about any errors you find, as well as your suggestions for future editions, by writing to:
OâReilly Media, Inc. |
1005 Gravenstein Highway North |
Sebastopol, CA 95472 |
(800) 998-9938 (in the U.S. or Canada) |
(707) 829-0515 (international or local) |
(707) 829-0104 (fax) |
We have a web page for this book, where we list errata, examples, or any additional information. You can access this page at:
http://phpsecurity.org/ |
You can sign up for one or more of our mailing lists at:
http://elists.oreilly.com |
To comment or ask technical questions about this book, send email to:
bookquestions@oreilly.com |
For more information about our books, conferences, software, Resource Centers, and the OâReilly Network, see our web site at:
http://www.oreilly.com/ |
Safari Enabled
When you see a Safari® Enabled icon on the cover of your favorite technology book, it means the book is available online through the OâReilly Network Safari Bookshelf.
Safari offers a solution thatâs better than e-books. Itâs a virtual library that lets you easily search thousands of top technology books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.
Acknowledgments
I cannot properly express my gratitude to all of the people who have made this book possible, nor can I hope to repay their sacrifices with words. Written during one of the busiest years of my life, this book would not have been possible without the unwavering support of my family and friends, and the endless patience of my editors.
Writing a book infringes upon your personal time, and this affects those closest to you. Christina, thanks so much for your sacrifices and for understanding, and even encouraging, my passions.
The people at OâReilly have been wonderful to work with. From the very beginning, theyâve gone out of their way to make the entire process fit around my writing style and busy schedule.
Nat Torkington, thanks for your early editorial guidance and for initiating this project. I never thought I would write another book, but when you came to me with the idea for this one, I couldnât refuse. Allison Randal, thanks for your expert guidance, and more importantly, for your friendly encouragement and understanding throughout the writing process. Tatiana Apandi, thanks for your enduring patience and for becoming such a great friend.
I would like to extend a very special thanks to the best technical review team ever assembled. Adam Trachtenberg, David Sklar, George Schlossnagle, and John Holmes are some of the smartest and friendliest guys around. Thanks to each of you for lending both your expertise and time to help ensure the technical accuracy of this book. While errata is always undesirable, it is especially so when dealing with an important topic like security. This book is closer to perfect as a result of your aid.
Lastly, I want to thank the PHP community. Without your gracious support and appreciation for my work over the years, I would never have written this book.
Get Essential PHP Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.