This Post Has 13 Comments

1. IT MAY BE SHORT, BUT SIZE DOESN’T MATTER!
   The book is only 85 pages long (if you take out the Appendices and filler material). That alone gets it four out of five stars. Well… not really… but there’s a lot to be said for producing a book that will actually get read. You can read the whole thing in one bathroom sitting, assuming you just returned from Mexico. By comparison, similar books like “Pro PHP Security” by Chris Snyder and Michael Southwell (also a very good book) are more along the lines of 500 pages and such books are intended as comprehensive reference books rather than tutorials. You’d have to eat at a restaurant in North Korea to get all the way through the Pro PHP Security book. Seriously though – the criticisms of this book primarily pretain to its lack of detail – but I’d rather actually finish a high level book than have a detailed book sit on my shelf unread.Chris’ book is great. It’s chocked full of easy to understand explanations and little five line code fragments to demonstrate what he’s explaining. Sure enough, if you read the whole thing, you’ll understand the essentials of PHP Security. Hey – perhaps that explains the title?Do I need this book if my company already uses web scanning security software? Yes – you won’t understand the problems that those products identify if you don’t understand PHP security basics. If you don’t understand reported errors, You’ll be tempted to ignore or suppress warnings that you don’t understand. Chris’ book will give you the knowledge that you need in a few easy to follow pages.There are a few ommissions. They include:OMISSION #1: The book should mention somewhere that many of the security vulnerabilities it describes are not unique to PHP – especially big ones like cross-site scripting and SQL injection. While PHP has some vulnerabilities that other languages do not (and vis-versa), Java, C#, Ruby, and all the other server-side languages can also be attacked with cross-site scripting, SQL injection, session spoofing, cookie theft, backdoor URLs, etc., etc.OMISSION #2: The book would have benefited from the addition of a page of system administration best practices to improve security rather than confining itself only to coding best practices. For example, it’s easy for developers to accidentally open security holes by making very small changes to the PHP.ini file. A good best practice is to use the operating system to restrict access to that file in the production environment. Or it would have good to see Chris distill role-based security administration policies, logging, or remote procedure call policies down to just the most important principles. He has a knack for filtering out the noise, and if he had added that additional 86th page, I swear I would have read it too.OMISSION #3: It’s worth mentioning how modular design has a very big impact on the number of vulnerabilities inside an application. This is especially important for PHP, because PHP code is often a little more haphazard than code written in other languages – primarily because of the culture that surrounds PHP but also for a few other reasons (we cover those reasons in the PHP Chapter of our own book on the strengths and weaknesses of various technologies).Bottom line:These criticisms are very minor. The book is short, easy-to-read, and filled with information that is absolutely essential to know if you are to responsibly deploy a server-side PHP application. Look at the table of contents. If you’re not familiar with those terms, you’d better get the book.Glenn HostetlerWeb Service and SOA Technologies

   Reply

2. Loved it!
   There were some very good best practices in this book that I immediately adopted. I’m sure most people who would be interested in this book (experienced to advanced developers) have heard many of the best practice concepts in this book before from various sources, however I’ve yet to see someone develop a method to handling these ideas.It was a shorter book than I was expecting (yes, that’s my goof for not noticing the page count when I purchased it) however I’m glad that I didn’t notice that fact before purchasing otherwise I might have overlooked it as more of a reference book rather than a teaching book. I was very happy with the book and would recommend it to anyone interested in some solid best practices for PHP security.

   Reply

3. Common threats handled
   Good overview of common threats on web applications, that are handled specifically in php. The author often repeats one of the arguments, but this one is actually the central thing so it’s fine to repeat it until we really memorize it.

   Reply

4. good php security book but not clear at times
   It is a good book, in mu opinion, but not a great one. The author was not clear at times at all and/or was much too terse. One may have to use this book in conjunction with some internet research in order to go over the concepts that were not so well explained. Overall, the book does serve its purpose, which is, i believe, to give a very good overview of the PHP and PHP related security issues, as well as to provide recommendations how to make a PHp application ‘more secure’.

   Reply

5. Short and sweet.
   This is an excellent read for anyone, not just those using PHP. The provided information is very nicely laid out with very fluff but good practical understanding and application. A must read for anyone doing any professional programming.

   Reply

6. extremely useful book
   This book is extremely useful for those creating web sites with PHP. It is short and to the point with good examples of how poor web sites are created and how to build them securely.

   Reply

7. Bad advice presented as “best practices.”
   About 15 years ago, PHP was still missing a lot of features that, today, programmers take for granted. PHP also lagged significantly in adding features critical to secure software.Unfortunately, during the interim, a set of “best practices” emerged that involved doing things like salting passwords and using a function named “mysql_real_escape_string” (so named because “mysql_escape_string” and similar functions were found to be inadequate protection.) Indeed, while these were the best ideas at the time when the language lacked a lot of features, they are now considered *worst* practices, and are of little use. Instead, programmers should use parametric queries with bound parameters and bcrypt-style hashing of passwords – but the book barely mentions them at all, and relegates these superior practices to mere footnotes.Burn this book. The author is ignorant of real security threats and is 15 years out of date.

   Reply

8. useful but not enough information
   I am PHP software developer for many years. I am buying that type of books with hope to find at least one new trick or some interesting code style. From that point of view – the book is worth to be bought. The only disadvantage is the size, it is too short (about 100 pages).

   Reply

9. Il libro non ha moltissime pagine, tuttavia illustra in pochi semplici passi gli errori più comuni legati alla sicurezza e propone esempi di codice PHP per rendere più sicure le nostre pagine.Se partiamo dal concetto che la sicurezza non è un optional, questo libro pone le basi per iniziare a proteggere i nostri siti dagli attacchi più ricorrenti.Molto illuminante!Lo consiglio a tutti i programmatori che utilizzano PHP per programmare i propri siti.

   Reply

10. Cet ouvrage date un peu mais a le mérite d’analyser les failles potentielles de PHP en partant du début.Les notions abordées sont illustrées par des scripts à profusion. Ce livre est d’un intérêt certain pour ceux qui souhaitent approfondir la sécurité informatique du web

    Reply

11. Gutes Buch um mehr über die Absicherung von PHP zu erfahren. Allerdings könnte man manche Kapitel anders gestallten und auch auf manche alten Zöpfe verzichten.

    Reply

12. One of the problems with computing books tends to be they ramble on, and on and on…. But not this one. It short, very short. But perfect for that. It doesn’t tell you about the history of PHP, it doesn’t sell PHP as a scripting language, it tells shows you how to protect your site from being attacked. It’s not an in depth security book, it’s a very practical guide to help you a developer build (and maintain) a site in a secure way. Nothing more nothing less, if you ever use PHP buy this book, and spend an afternoon reading it, then the next week fixing the holes in what you thought was a secure site.

    Reply

13. 😉 hier rmuss man mindestens 16 Wörter schreiben, noch ein Wort noch ein Wort noch ein Wort noch ein Wort

    Reply