You are previewing Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition.
O'Reilly logo
Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition

Book Description

PHP security, just like PHP itself, has advanced. Updated for PHP 5.3, the second edition of this authoritative PHP security book covers foundational PHP security topics like SQL injection, XSS, user authentication, and secure PHP development. Chris Snyder and Tom Myer also dive into recent developments like mobile security, the impact of Javascript, and the advantages of recent PHP hardening efforts.

Pro PHP Security, Second Edition will serve as your complete guide for taking defensive and proactive security measures within your PHP applications. Beginners in secure programming will find a lot of material on secure PHP development, the basics of encryption, secure protocols, as well as how to reconcile the demands of server-side and web application security.

What you'll learn

  • Secure PHP development principles

  • PHP web application security

  • User and file security

  • Mobile security

  • Encryption and secure protocols

  • Dealing with JavaScript

Who this book is for

Pro PHP Security appeals to all intermediate and advanced PHP programmers who need to keep websites safe. It also contains material of interest to all who are concerned with web application security.

Table of Contents

  1. Title Page
  2. Dedication
  3. Contents at a Glance
  4. Contents
  5. About the Authors
  6. Acknowledgments
  7. Preface
  8. PART 1: The Importance of Security
    1. CHAPTER 1: Why Is Secure Programming a Concern?
      1. What Is Computer Security?
      2. Why Absolute Computer Security Is Impossible
      3. What Kinds of Attacks Are Web Applications Vulnerable To?
      4. Five Good Habits of a Security-Conscious Developer
      5. Summary
  9. PART 2: Practicing Secure PHP Programming
    1. CHAPTER 2: Validating and Sanitizing User Input
      1. What to Look For
      2. Strategies for Validating User Input in PHP
      3. Testing Input Validation
      4. Summary
    2. CHAPTER 3: Preventing SQL Injection
      1. What SQL Injection Is
      2. How SQL Injection Works
      3. PHP and MySQL Injection
      4. Preventing SQL Injection
      5. Test Your Protection Against Injection
      6. Summary
    3. CHAPTER 4: Preventing Cross-Site Scripting
      1. How XSS Works
      2. A Sampler of XSS Techniques
      3. Preventing XSS
      4. Test for Protection Against XSS Abuse
      5. Summary
    4. CHAPTER 5: Preventing Remote Execution
      1. How Remote Execution Works
      2. The Dangers of Remote Execution
      3. Strategies for Preventing Remote Execution
      4. Testing for Remote Execution Vulnerabilities
      5. Summary
    5. CHAPTER 6: Enforcing Security for Temporary Files
      1. The Functions of Temporary Files
      2. Characteristics of Temporary Files
      3. Preventing Temporary File Abuse
      4. Test Your Protection Against Hijacking
      5. Summary
    6. CHAPTER 7: Preventing Session Hijacking
      1. How Persistent Sessions Work
      2. Abuse of Sessions
      3. Preventing Session Abuse
      4. Test for Protection Against Session Abuse
      5. Summary
    7. CHAPTER 8: Securing REST Services
      1. What Is REST?
      2. What Is JSON?
      3. REST Security
      4. A Basic REST Server in PHP
      5. Summary
  10. PART 3: Practicing Secure Operations
    1. CHAPTER 9: Using CAPTCHAs
      1. Background
      2. Kinds of Captchas
      3. Creating an Effective Captcha Test Using PHP
      4. Attacks on Captcha Challenges
      5. Potential Problems in Using Captchas
      6. Summary
    2. CHAPTER 10: User Authentication, Authorization, and Logging
      1. Identity Verification
      2. Who Are the Abusers?
      3. Using a Working Email Address for Identity Verification
      4. When a Working Mailbox Isn't Enough
      5. Access Control for Web Applications
      6. Summary
    3. CHAPTER 11: Preventing Data Loss
      1. Preventing Accidental Corruption
      2. Avoiding Record Deletion
      3. Versioning
      4. Creating a Versioned Database Filestore
      5. Summary
    4. CHAPTER 12: Safe Execution of System and Remote Procedure Calls
      1. Dangerous Operations
      2. Making Dangerous Operations Safe
      3. Handling Resource-intensive Operations with a Queue
      4. Remote Procedure Calls
      5. RPC and Web Services
      6. Summary
  11. PART 4: Creating a Safe Environment
    1. CHAPTER 13: Securing Unix
      1. An Introduction to Unix Permissions
      2. Protecting the System from Itself
      3. PHP Safe Mode
      4. Summary
    2. CHAPTER 14: Securing Your Database
      1. Protecting Databases
      2. General Security Considerations
      3. Securing MySQL Accounts
      4. Summary
    3. CHAPTER 15: Using Encryption
      1. Encryption vs. Hashing
      2. Recommended Encryption Algorithms
      3. Recommended Hash Functions
      4. Related Algorithms
      5. Random Numbers
      6. Blocks, Modes, and Initialization Vectors
      7. US Government Restrictions on Exporting Encryption Algorithms
      8. Applied Cryptography
      9. Verifying Important or At-risk Data
      10. Summary
    4. CHAPTER 16: Securing Network Connections: SSL and SSH
      1. Definitions
      2. The SSL Protocols
      3. Connecting to SSL Servers Using PHP
      4. Working with SSH
      5. The Value of Secure Connections
      6. Summary
    5. CHAPTER 17: Final Recommendations
      1. Security Issues Related to Shared Hosting
      2. Maintaining Separate Development and Production Environments
      3. Keeping Software Up to Date
      4. Summary
  12. Index