Chapter 18. Security and Encryption


Web application security is an important topic that attracts attention from both the developers who create web applications and the attackers who try to exploit them. As a PHP developer, your applications are sure to be the target of many attacks, and you need to be prepared.

A large number of web application vulnerabilities are due to a misplaced trust in data provided by third parties. Such data is known as input, and it should be considered tainted until proven otherwise. If you display tainted data to your users, you create cross-site scripting (XSS) vulnerabilities. Avoiding Cross-Site Scripting explains how to avoid these by escaping your output. If you use tainted data in your SQL queries, you can create SQL injection vulnerabilities. Eliminating SQL Injection shows you how to eliminate these.

When using data provided by third parties, including the data provided by your users, it is important to first verify that it is valid. This process is known as filtering, and Ensuring Input Is Filtered shows you how to guarantee that all input is filtered.

Not all security problems can be solved by filtering input and escaping output. Session fixation, an attack discussed in Preventing Session Fixation, causes a victim to use a session identifier chosen by an attacker. Cross-site request forgeries, a type of attack discussed in Protecting Against Form Spoofing, cause a victim to send a request of an attacker’s choosing.

Closely related to ...

Get PHP Cookbook, 3rd Edition now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.