February 2013
Intermediate to advanced
538 pages
20h 55m
English
Content preview from Programming PHP, 3rd EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.
Security Recap
Because security is such an important issue, we want to reiterate the main points of this chapter as well as add a few additional tips:
Filter input to be sure that all data you receive from remote sources is the data you expect. Remember, the stricter your filtering logic, the safer your application.
Escape output in a context-aware manner to be sure that your data isn’t misinterpreted by a remote system.
Always initialize your variables. This is especially important when the
register_globalsdirective is enabled.Disable
register_globals,magic_quotes_gpc, andallow_url_fopen. See http://www.php.net for details on these directives.Whenever you construct a filename, check the components with
basename()andrealpath().Store includes outside of the document root. It is better to not name your included files with the .inc extension. Name them with a .php extension, or some other less obvious extension.
Always call
session_regenerate_id()whenever a user’s privilege level changes.Whenever you construct a filename from a user-supplied component, check the components with
basename()andrealpath().Don’t create a file and then change its permissions. Instead, set
umask()so that the file is created with the correct permissions.Don’t use user-supplied data with
eval(),preg_replace()with the/eoption, or any of the system commands—exec(),system(),popen(),passthru(), and the backtick (`) operator.
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access
More than 5,000 organizations count on O’Reilly
O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.Julian F.
I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.Addison B.
I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.Amir M.
I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.