book

Essential PHP Security

Name: Essential PHP Security
Author: Chris Shiflett
ISBN: 9780596006563

by Chris Shiflett

October 2005

Intermediate to advanced

124 pages

2h 44m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Foreword
Preface
What’s InsideStyle ConventionsComments and QuestionsSafari EnabledAcknowledgments
1. Introduction
1.1. PHP Features1.1.1. Register Globals1.1.2. Error Reporting1.2. Principles1.2.1. Defense in Depth1.2.2. Least Privilege1.2.3. Simple Is Beautiful1.2.4. Minimize Exposure1.3. Practices1.3.1. Balance Risk and Usability1.3.2. Track Data1.3.3. Filter Input1.3.4. Escape Output
2. Forms and URLs
2.1. Forms and Data2.2. Semantic URL Attacks2.3. File Upload Attacks2.4. Cross-Site Scripting2.5. Cross-Site Request Forgeries2.6. Spoofed Form Submissions2.7. Spoofed HTTP Requests
3. Databases and SQL
3.1. Exposed Access Credentials3.2. SQL Injection3.3. Exposed Data
4. Sessions and Cookies
4.1. Cookie Theft4.2. Exposed Session Data4.3. Session Fixation4.4. Session Hijacking
5. Includes
5.1. Exposed Source Code5.2. Backdoor URLs5.3. Filename Manipulation5.4. Code Injection
6. Files and Commands
6.1. Traversing the Filesystem6.2. Remote File Risks6.3. Command Injection
7. Authentication and Authorization
7.1. Brute Force Attacks7.2. Password Sniffing7.3. Replay Attacks7.4. Persistent Logins
8. Shared Hosting
8.1. Exposed Source Code8.2. Exposed Session Data8.3. Session Injection8.4. Filesystem Browsing8.5. Safe Mode

A. Configuration Directives
A.1. allow_url_fopenA.2. disable_functionsA.3. display_errorsA.4. enable_dlA.5. error_reportingA.6. file_uploadsA.7. log_errorsA.8. magic_quotes_gpcA.9. memory_limitA.10. open_basedirA.11. register_globalsA.12. safe_mode
B. Functions
B.1. eval()B.2. exec()B.3. file()B.4. file_get_contents()B.5. fopen()B.6. includeB.7. passthru()B.8. phpinfo()B.9. popen()B.10. preg_replace()B.11. proc_open()B.12. readfile()B.13. requireB.14. shell_exec()B.15. system()
C. Cryptography
C.1. Storing PasswordsC.2. Using mcryptC.3. Storing Credit Card NumbersC.4. Encrypting Session Data
About the Author
Index
About the Author
Colophon
Copyright

Overview

Being highly flexible in building dynamic, database-driven web applications makes the PHP programming language one of the most popular web development tools in use today. It also works beautifully with other open source tools, such as the MySQL database and the Apache web server. However, as more web sites are developed in PHP, they become targets for malicious attackers, and developers need to prepare for the attacks.

Security is an issue that demands attention, given the growing frequency of attacks on web sites. Essential PHP Security explains the most common types of attacks and how to write code that isn't susceptible to them. By examining specific attacks and the techniques used to protect against them, you will have a deeper understanding and appreciation of the safeguards you are about to learn in this book.

In the much-needed (and highly-requested) Essential PHP Security, each chapter covers an aspect of a web application (such as form processing, database programming, session management, and authentication). Chapters describe potential attacks with examples and then explain techniques to help you prevent those attacks.

Topics covered include:

Preventing cross-site scripting (XSS) vulnerabilities
Protecting against SQL injection attacks
Complicating session hijacking attempts

You are in good hands with author Chris Shiflett, an internationally-recognized expert in the field of PHP security. Shiflett is also the founder and President of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 059600656XErrata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills