Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition

Summary

We have continued our discussion of threats to your PHP application and your users' data by considering remote execution, an exploit where an attacker takes advantage of your application's openness to user-submitted input that is then executed by PHP.

After describing how remote execution works, and what dangers it presents, we provided six strategies for countering it:

Limit allowable filename extensions for uploads.
Allow only trusted, human users to import code.
Do not use the eval() function with untrusted input.
Do not include untrusted files.
Properly escape all shell commands.
Beware of preg_replace() patterns with the e modifier.

We then pointed out that, in attempting to prevent remote execution exploits, you need to balance ...

Get Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition by Chris Snyder, Michael Southwell, Thomas Myer

Summary

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly