With the number of security flaws and exploits discovered and released every day constantly on the rise, knowing how to write secure and reliable applications is become more and more important every day. Written by Ilia Alshanetsky, one of the foremost experts on PHP security in the world, "Phparchitect's Guide to PHP Security" focuses on providing you with all the tools and knowledge you need to both secure your existing applications and writing new systems with security in mind. This book gives you a stepbystep guide to each securityrelated topic, providing you with realworld examples of proper coding practices and their implementation in PHP in an accurate, concise and complete way. It provides techniques applicable to any version of PHP, including 4.x and 5.x. It includes a stepbystep guide to securing your applications, and includes a comprehensive coverage of security design. It teaches you how to defend yourself from hackers, and shows you how to distract hackers with a "tar pit" to help you fend off potential attacks Foreword 14 Introduction 18 Chapter 1 Input Validation 22 The Trouble with Input 23 An Alternative to Register Globals: Superglobals 26 The Constant Solution 26 The $_REQUEST Trojan Horse 28 Validating Input 29 Validating Numeric Data 29 Locale Troubles 30 String Validation 31 Content Size Validation 35 White List Validation 37 Being Careful with File Uploads 38 Configuration Settings 38 File Input 39 File Content Validation 40 Accessing Uploaded Data 42 File Size 43 The Dangers of Magic Quotes 44 Magic Quotes Normalization 45 Magic Quotes & Files 47 Validating Serialized Data 48 External Resource Validation 50 Chapter 2 Cross-Site Scripting Prevention 54 The Encoding Solution 55 Handling Attributes 55 HTML Entities & Filters 57 Exclusion Approach 61 Handling Valid Attributes 64 URL Attribute Tricks 65 XSS via Environment Variables 67 IP Address Information 67 Referring URL 68 Script Location 68 More Severe XSS Exploits 69 Cookie/Session Theft 70 Form Data Theft 71 Changing Page Content 72 Chapter 3 SQL Injection 74 Magic Quotes 75 Prepared Statements 76 No Means of Escape 78 The LIKE Quandary 79 SQL Error Handling 80 Authentication Data Storage 81 Database Permissions 84 Maintaining Performance 84 Query Caching 86 Chapter 4 Preventing Code Injection 88 Path Validation 89 Using Full Paths 89 Avoiding Dynamic Paths 90 Possible Dangers of Remote File Access 90 Validating File Names 92 Securing Eval 95 Dynamic Functions and Variables 96 Code Injection via PCRE 98 Chapter 5 Command Injection 102 Resource Exhaustion via Command Injection 103 The PATH Exploit 105 Hidden Dangers 106 Application Bugs and Setting Limits 107 PHP Execution Process 109 Chapter 6 Session Security 114 Sessions & Cookies 115 Man in the Middle Attacks 115 Encryption to the Rescue! 116 Server Side Weakness 116 URL Sessions 116 Session Fixation 118 Surviving Attacks 118 Native Protection Mechanism 119 User-land Session Theft 120 Expiry Time Tricks 120 Server Side Expiry Mechanisms 121 Mixing Security and Convenience 122 Securing Session Storage 123 Session ID Rotation 127 IP Based Validation 129 Browser Signature 130 Referrer Validation 131 User Education 132 Chapter 7 Securing File Access 136 The Dangers of “Worldwide” Access 137 Securing Read Access 138 PHP Encoders 138 Manual Encryption 139 Open Base Directory 140 Securing Uploaded Files 141 Securing Write Access 141 File Signature 143 Safe Mode 144 An Alternate PHP Execution Mechanism 145 CGI 146 FastCGI 146 Shared Hosting Woes 147 File Masking 148 Chapter 8 Security through Obscurity 154 Words of Caution 154 Hide Your Files 155 Obscure Compiled Templates 157 Transmission Obfuscation 159 Obscure Field Names 159 Field Name Randomization 160 Use POST 161 Content Compression 162 HTML Comments 162 Software Identification 163 Chapter 9 Sandboxes and Tar Pits 166 Misdirect Attacks with Sandboxes 167 Building a Sandbox 167 Tracking Passwords 168 Identify the Source of the Attack Source 170 Find Routing Information 171 Limitations with IP Addresses 172 Smart Cookie Tricks 174 Record the Referring URL 174 Capture all Input Data 175 Build a Tar Pit 177 Chapter 10 Securing Your Applications 180 Enable Verbose Error Reporting 181 Replace the Usage of Register Globals 181 Avoid $_REQUEST 182 Disable Magic Quotes 183 Try to Prevent Cross-Site Scripting (XSS) 184 Improve SQL Security 184 Prevent Code Injection 185 Discontinue use of eval() 186 Mind Your Regular Expressions 186 Watch Out for Dynamic Names 186 Minimize the Use of External Commands 187 Obfuscate and Prepare a Sandbox 188 Index 190
with The Number Of Security Flaws And Exploits Discovered And Released Every Day Constantly On The Rise, Knowing How To Write Secure And Reliable Applications Is Become More And More Important Every Day.
written By Ilia Alshanetsky, One Of The Foremost Experts On Php Security In The World, Php|architect's Guide To Php Security Focuses On Providing You With All The Tools And Knowledge You Need To Both Secure Your Existing Applications And Writing New Systems With Security In Mind.
this Book Gives You A Step-by-step Guide To Each Security-related Topic, Providing You With Real-world Examples Of Proper Coding Practices And Their Implementation In Php In An Accurate, Concise And Complete Way.
provides Techniques Applicable To Any Version Of Php, Including 4.x And 5.x
includes A Step-by-step Guide To Securing Your Applications
includes A Comprehensive Coverage Of Security Design
teaches You How To Defend Yourself From Hackers
shows You How To Distract Hackers With A Tar Pit To Help You Fend Off Potential Attacks
Overall, an excellent resource for security. It's small size means that that topics are narrow enough to be digested and acted upon individually.