PHP Architects Guide to PHP Security Date: 19 January 2011, 06:23
|
This book describes itself as a "Step-by-step guide to writing secure and reliable PHP applications. Dealing with real-world examples of proper coding practises, and their implementation in PHP in an accurate, concise and complete way." So does it live up to this claim? and how does it fare compared to the ever increasing rane of PHP Security books out there? Well first of all this book weighs in at just under 200 pages. Although I don't use page counts as an indication of quality, I do use them as a gauge of how much "fluff" a book is likely to contain. I consider book fluff to be all of those early pre-amble chapters that the majority of us just skip over in our bid to get to the real meat. Thankfully Ilia is merciful in this respect, and other than a quick foreword by Rasmus Lerdorf and a brief introduction we are straight into the good stuff from as early as page 21. The book is split into 10 chapters starting with Input Validation. As you may well expect this is kicked off with a good summary of the Register Globals issue. Rather than just say "it's bad, don't use it" Ilia actually goes into depth to explain how it works, what happens when your variables collide and gives a good example of accidental mis-use. Rather than leave it at this we're then walked through various alternatives, with the pros and cons of each explained. Although the Register Globals issue is the one we're all most familiar with, the attention to detail given in its coverage and technical explanation sets the tone of the rest of the book. Validating Input is then covered, and it's nice to see the book appreciate the difference that a locale can have on PHPs in-built functions. The example given shows how is_numeric("1,23") would return a false (because of the comma after the 1), yet this is a perfectly valid form of decimal notation in countries such as Germany and France. Sadly Ilia doesn't actually give you a solution for this problem, he just mentions it, but now that it has been bought to the front of your mind, you can at least cater for it. The Input Validation tips continue to flow, as it moves swiftly across string validation, content size validation, white list validation, File Uploads, Configuration settings, File Input, File Content validation, Accessing Uploaded data, file size, magic quotes, serialized data and external resource validation. Don't forget, this is all just Chapter 1. Subsequent chapters include Cross-Site Scripting Prevention, SQL Injection, Preventing Code Injection, Command Injection, Session Security, Securing File Access, Security through Obscurity, Sandboxes and Tar Pits and finishes with Securing Your Application. This is a wealth of information, make no mistake about it. The Sandbox chapter in particular offers up some great ideas for building and implementing a sandbox and tar pit (methods to counter-attack hackers, rather than just preventing them). The final chapter serves as a checklist you can run through when auditing your own (or others) code - 'Avoid $_REQUEST?', check! As you would expect from someone so tightly involved in the PHP development cycle, Ilia writes with an air of authority about this subject. It is plainly obvious that he fully understands what is going on deep inside PHP at any given moment, and uses that know-how to advise the rest of us how best to approach it from above. It's a knowledge that he imparts easily and fluidly through-out this book, with virtually every paragraph containing something of genuine use. The main thing I like about this book is that for every "this is wrong", you are nearly always shown a "but this is how you can do it" method. I find that with security more than any other area in PHP, you often hear an awful lot of "don't do this", but precious few examples of rectifying those mistakes. We've also yet to see a security book deal with any system in whole. For example taking a user management system, or a simple shopping basket system, and walking through how to ensure it is secure. Theory is all well and great, but authors can lead by example as well. My final comment would be one of print quality. I am finding this is quite common with Nanobooks - the print quality really isn't the best. Very often large blocks of black will appear faded / striped and the covers suffer from "jaggies" around text where the colours have bled slightly. I am quite sure this can be attributed to their low cost. You can pick up two typical Nanobooks for the same price as an Apress title. And so long as you can actually read it, who cares if some pages look like they may have fallen out of a photocopier? Never judge a book by its cover and all that Even so, I thought it was worth mentioning. P.S. I thought it was a nice touch that Ilia had signed my copy. I'm sure he did all of the first batch or something, but it was great anyway!
|
DISCLAIMER:
This site does not store PHP Architects Guide to PHP Security on its server. We only index and link to PHP Architects Guide to PHP Security provided by other sites. Please contact the content providers to delete PHP Architects Guide to PHP Security if any and email us, we'll remove relevant links or contents immediately.
|
|
|