Book review: Pro PHP Security by <i>Chris Snyder and Michael Southwell</i>

Book review: Pro PHP Security by Chris Snyder and Michael Southwell


Good security is the basis of any viable website. With the internet being the most public of places, broken systems cost—money, reputations and possibly customer identities are the currency. Pro PHP Security, published by Apress and written by Chris Snyder and Michael Southwell, is a detailed and authoritive account of the security details that effect a successful deployment of a PHP website. The book ranges from the almost theoretical to the highly practical such as SQL injection attack hardening and validating user input. If you are a newbie programmer or a serious practitioner, you may still find highly relevant comfort and detail in the book. There may be monsters waiting in the dark.

The book’s coverThe book’s cover

Security is not a thin line. Securing infrastructure with potentially complex relationships absolutely requires defense in depth. Under Linux, which is the traditional deployment operating system of choice for the majority of PHP web applications, you need to understand the file system, the use of temporary files, .htaccess encryption and many of the associated attack vectors such as cross site scripting. Any book that wishes to discuss PHP Security needs to be dense enough and broad enough. Luckily, Pro PHP Security has such attributes. This book was fun to read and, despite the fact that in a previous incarnation I was a security officer as well as developer, I learnt more than a few new details.

Securing infrastructure with potentially complex relationships absolutely requires defense in depth

The contents

Chris Snyder and Michael Southwell have divided their 500 or so page book into four parts and twenty-four accurate and to-the-point chapters. Part 1 is the shortest containing only information on why we need to secure programs in the first place. Part 2 explains how to maintain a secure environment and discusses operating system and transport issues.

The most fun section is part 3 Practicing Secure PHP Programming. Different attack vectors are mentioned, one major theme per chapter. The attacks include SQL injection, Remote Execution and, my favorite, Session hijacking. With so many potential crackers out there with so many freely downloadable kits, if you are a newbie PHP programmer, here is where you may save your site(s), read on.

Part 4 Practicing Secure Operations ends with mentioning peer reviewing of code. From personal experience, I strongly thumbs up the advice given.

Looking back at the whole book, I am glad to see apparently mundane advice included such as setting your database permissions aggressively and backing up your databases. This may seem obvious, but it costs energy to follow and thus on many occasions is avoided. Any newbie reading this review please follow the advice and don’t be lazy or you may pay more later. I have seen this short-term thinking a number of times before.

Who’s this book for?

This book is especially useful for the newbie programmer that is starting out with PHP for the first time or old reactionaries that have not had any hard security training.

Relevance to free software

Linux has a rock solid reputation for stable and secure running. Many Linux deployments are solely for running PHP web applications. PHP has as its rival JSP and ASP. If enough PHP sites are hacked, both PHP and Linux will be tarred with a negative brush and JSP or worst still ASP will profit. Therefore, it is vital for core free software projects that programmers understand where the main security surfaces lie.

One of the delightful properties of the PHP programming language is how quickly you can become productive. One could imagine active websites being built from day one and from day one being insecure. Pro PHP Security is broad enough and well rounded enough a book to give the day one builders a thorough jumpstart in the security arena. This fact is also true for the older reactionaries that have learnt to program in the trenches but have had no meaningful security related experience.

It is vital for core free software projects that programmers understand where security surfaces lie

Pros

A great book with a lot of detail. This book is excellent for quickly building up a critical mass of relevant security related concepts and practical defensive strategies.

Cons

Although Pro PHP security mentions general issues, if you are not running PHP I would advise you to look elsewhere for more generic security related books.
Title Pro PHP Security
Author Chris Snyder, Michael Southwell
Publisher Apress
ISBN 1590595084
Year 2005
Pages 528
CD included No
FS Oriented 9
Over all score 9

In short

Category: 
Reviews
Tagging: 
php
book review
security
License: 
CC-BY

Most forwarded

Interview with Dave Mohyla, of DTIDATA

Dave Mohyla is the president and founder of dtidata.com, a hard drive recovery facility based in Tampa, Florida.

TM: Where are you based? What does your company do?
DTI Data recovery is based in South Pasadena, Florida which is a suburb of Tampa. We have been here for over 10 years. We operate a bio-metrically secured class 100 clean room where we perform hard drive recovery on all types of hard disks, from laptop hard drives to multi drive RAID systems.

Anybody up to writing good directory software?

Since the very beginning, directories (of any kind) have had a very central role in the internet. (I have recently grown fond of Free Web Directory. Even Slashdot can be considered a directory: a collection of great news and invaluable user-generated comments. As far as software is concerned, doing a quick search on Google about software directories will return the free (as in freedom) software directories like Savannah, SourceForge, Freshmeat and so on, followed by shareware and freeware sites such as FileBuzz, PCWin Download Center and All Freeware (great if you're looking for shareware and freeware, but definitely less comprehensive than their free-as-in-freedom counterparts).

Interview with Mark Shuttleworth

Mark Shuttleworth is the founder of Thawte, the first Certification Authority to sell public SSL certificates. After selling Thawte to Verisign, Mark moved on to training as an astronaut in Russia and visiting space. Once he got back he founded Ubuntu, the leading GNU/Linux distribution. He agreed on releasing a quick interview to Free Software Magazine.

Is better education the key to finding better software?

I read David Jonathon's article Anybody Up To Writing Good Directory Software? the other day, which got me thinking about software directories in general. As David mentioned, many of the software directories one finds when doing a quick google search are free as in beer, not as in freedom. But what interests me is the software directories that already exist, providing a combination of both free as in beer software, and open source software. Sites such as Freeware Downloads and Shareware Download don't advertise themselves as providing free as in liberty software, but each of them have a good selection of open source software available... if you know where to look.

Most emailed

Free Open Document label templates

If you’ve ever spent hours at work doing mailings, cursed your printer for printing outside the lines on your labels, or moaned “There has got to be a better way to do this,” here’s the solution you’ve been looking for. Working smarter, not harder! Worldlabel.com, a manufacture of labels offers Open Office / Libre Office labels templates for downloading in ODF format which will save you time, effort, and (if you want) make really cool-looking labels

Creating a user-centric site in Drupal

A little while ago, while talking in the #drupal mailing list, I showed my latest creation to one of the core developers there. His reaction was "Wow, I am always surprised what people use Drupal for". His surprise is somehow justified: I did create a site for a bunch of entertainers in Perth, a company set to use Drupal to take over the world with Entertainers.Biz.

Update: since writing this article, I have updated the system so that the whole booking process happens online. I will update the article accordingly!

So, why, why do people and companies develop free software?

More and more people are discovering free software. Many people only do so after weeks, or even months, of using it. I wonder, for example, how many Firefox users actually know how free Firefox really is—many of them realise that you can get it for free, but find it hard to believe that anybody can modify it and even redistribute it legally.

When the discovery is made, the first instinct is to ask: why do they do it? Programming is hard work. Even though most (if not all) programmers are driven by their higher-than-normal IQs and their amazing passion for solving problems, it’s still hard to understand why so many of them would donate so much of their time to creating something that they can’t really show off to anybody but their colleagues or geek friends.

Sure, anybody can buy laptops, and just program. No need to get a full-on lab or spend thousands of dollars in equipment. But... is that the full story?

Fun articles

Santa Claus - the most successful open source project

It dawned on me the other day, as I was shopping for the dozens of gifts it seems I have to buy every December, that Santa Claus is the most successful open source project in history. (Bridget @ Illiterarty would agree with that). Santa Claus is essentially a marketing development that is embodied by everyone who stuffs a sock, gives a gift, hosts a dinner or wishes Merry Christmas over the holiday season.

Most emailed

Editorial

When I first started thinking about Free Software Magazine, I was feeling enthusiastic about the dream. I had Dave, Gianluca, and Alan willing to help me, I had established members of the free software community willing to help me out, I had writers volunteering their time and energy for free, and I had a generous offer from OpenHosting for servers, all before I'd proved myself. There was a sense of excitement in the air, and I thought maybe, just maybe, I could make this work.

Free Software Magazine uses Apollo project management software and CRM for its everyday activities!