Press Room

Press Release: November 17, 2005

Essential PHP Security: A Guide to Building Secure Web Applications

Sebastopol, CA--With PHP's transition from a set of tools for personal home page development to the world's most popular web programming language, PHP developers have acquired some new concerns, such as performance, maintainability, scalability, reliability, and--perhaps most important--security. "Traditionally, security has been a topic of concern for network, database, and systems engineers," says Chris Shiflett, author of the new book Essential PHP Security (O'Reilly, US $29.95). "Over time, there has been a shift in focus up the protocol stack, and web developers now find themselves primarily responsible for the security of critical applications."

As Shiflett explains, unlike language features such as conditional expressions and looping constructs, security is abstract. He says that it is not so much a characteristic of a language as it is a characteristic of a developer: no language can prevent insecure code, although there are language features that can aid or hinder a security conscious developer. His book teaches developers how to write secure PHP code, however, the topics and techniques can easily apply to all web development technologies.

Andi Gutmans, PHP architect and co-founder of Zend Technologies, writes in his foreword to the book that security is crucial for PHP. "Recently, there have been numerous security alerts around PHP. But, in fact, the majority of them are not a result of flaws in PHP itself, but are due to improper and insecure uses of PHP by applications developers." says Gutmans. He says that, unlike in the Java or .NET space, the PHP community releases dozens of PHP applications to the open source community, such as content management systems, e-commerce systems, and forums. When security bugs appear in those applications, they are often confused with the PHP technology itself, hurting the perception of PHP in the marketplace.

It's no easy task to ensure that all PHP developers are up-to-speed with security practices, a task exacerbated by lack of materials dedicated to the subject and no simple rules for dos and don'ts. But there is hope, as Gutmans points out: "Chris Shiflett, the author of this book, has dedicated his career to improving PHP application level-security. With Essential PHP Security Chris brings long-needed security guidelines to PHP developers everywhere."

This much needed, much requested book explains the most common types of attacks and how to write code that can withstand them. Each chapter in the book covers an aspect of web application (such as form processing, database programming, session management, and authentication). The chapters provide examples of potential attacks and then explain techniques to prevent those attacks. Topics covered include:

  • Preventing cross-site scripting (XSS) vulnerabilities
  • Protecting against SQL injection attacks
  • Complicating session hijacking attempts
  • Given the growing frequency of attacks on web sites, it's more critical than ever to know how to write code that isn't susceptible. This focused book offers developers a deeper understanding and appreciation of the safeguards they can put in place.

    Additional Resources:

    Essential PHP Security
    Chris Shiflett
    ISBN: 0-596-00656-X, 109 pages, $29.95 US
    1-800-998-9938; 1-707-827-7000

    About O'Reilly

    For almost 40 years, O’Reilly Media has provided technology and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through the company’s Safari training and learning platform and at O’Reilly conferences. As a SaaS learning platform, Safari delivers highly topical and comprehensive technology and business learning solutions to millions of users across enterprise, consumer, and university channels. For more information visit

    Return to: O'Reilly Press Room

    Press Contacts

    Media Relations – Corporate & North America

    Fama PR

    Media Relations – Japan

    Fumi Yamakawa
    +81 3-3356-5227

    Media Relations – United Kingdom

    Helen Codling
    +44 (0) 1252 721284