Essential PHP Security

Preface

What’s Inside

The book is organized into chapters that address specific topics related to PHP development. Each chapter is further divided into sections that cover the most common attacks related to a particular topic, and you are shown both how the attacks are initiated and how to protect your applications from them.

Chapter 1, Introduction: Gives an overview of security principles and best practices. This chapter provides the foundation for the rest of the book.
Chapter 2, Forms and URLs: Covers form processing and attacks such as cross-site scripting and cross-site request forgeries.
Chapter 3, Databases and SQL: Focuses on using databases and attacks such as SQL injection.
Chapter 4, Sessions and Cookies: Explains PHP’s session support and shows you how to protect your applications from attacks such as session fixation and session hijacking.
Chapter 5, Includes: Covers the risks associated with the use of includes, such as backdoor URLs and code injection.
Chapter 6, Files and Commands: Discusses attacks such as filesystem traversal and command injection.
Chapter 7, Authentication and Authorization: Helps you create secure authentication and authorization mechanisms and protect your applications from things like brute force attacks and replay attacks.
Chapter 8, Shared Hosting: Explains the inherent risks associated with a shared hosting environment. You are shown how to avoid the exposure of your source code and session data, as well as how to protect your applications from attracks such as session injection.
Appendix A, Configuration Directives: Provides a short and focused list of configuration directives that deserve particular attention.
Appendix B, Functions: Offers a brief list of functions with which you should be concerned.
Appendix C, Cryptography: Focuses on symmetric cryptography and shows you how to safely store passwords and encrypt data in a database or session data store.

Style Conventions

Items appearing in the book are sometimes given a special appearance to set them apart from the regular text. Here’s how they look:

Italic: Used for citations to books and articles, commands, email addresses, URIs, filenames, emphasized text, and first references to terms.
Constant width: Used for literals, constant values, code listings, and XML markup.
Constant width italic: Used for replaceable parameter and variable names.
Constant width bold: Used to highlight the portion of a code listing being discussed.

Tip

This icon signifies a tip, suggestion, or general note.

Warning

This icon indicates a warning or caution.

Comments and Questions

We have tested and verified the information in this book to the best of our ability, but you may find that features have changed (or even that we have made mistakes!). Please let us know about any errors you find, as well as your suggestions for future editions, by writing to:

O’Reilly Media, Inc.

1005 Gravenstein Highway North

Sebastopol, CA 95472

(800) 998-9938 (in the U.S. or Canada)

(707) 829-0515 (international or local)

(707) 829-0104 (fax)

We have a web page for this book, where we list errata, examples, or any additional information. You can access this page at:

http://phpsecurity.org/

You can sign up for one or more of our mailing lists at:

http://elists.oreilly.com

To comment or ask technical questions about this book, send email to:

bookquestions@oreilly.com

For more information about our books, conferences, software, Resource Centers, and the O’Reilly Network, see our web site at:

http://www.oreilly.com/

Safari Enabled

When you see a Safari® Enabled icon on the cover of your favorite technology book, it means the book is available online through the O’Reilly Network Safari Bookshelf.

Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top technology books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.

Acknowledgments

I cannot properly express my gratitude to all of the people who have made this book possible, nor can I hope to repay their sacrifices with words. Written during one of the busiest years of my life, this book would not have been possible without the unwavering support of my family and friends, and the endless patience of my editors.

Writing a book infringes upon your personal time, and this affects those closest to you. Christina, thanks so much for your sacrifices and for understanding, and even encouraging, my passions.

The people at O’Reilly have been wonderful to work with. From the very beginning, they’ve gone out of their way to make the entire process fit around my writing style and busy schedule.

Nat Torkington, thanks for your early editorial guidance and for initiating this project. I never thought I would write another book, but when you came to me with the idea for this one, I couldn’t refuse. Allison Randal, thanks for your expert guidance, and more importantly, for your friendly encouragement and understanding throughout the writing process. Tatiana Apandi, thanks for your enduring patience and for becoming such a great friend.

I would like to extend a very special thanks to the best technical review team ever assembled. Adam Trachtenberg, David Sklar, George Schlossnagle, and John Holmes are some of the smartest and friendliest guys around. Thanks to each of you for lending both your expertise and time to help ensure the technical accuracy of this book. While errata is always undesirable, it is especially so when dealing with an important topic like security. This book is closer to perfect as a result of your aid.

Lastly, I want to thank the PHP community. Without your gracious support and appreciation for my work over the years, I would never have written this book.