Review: Securing PHP Web Applications
Iain Laskey enthuses about this book aimed at PHP developers but applicable to a wider audience.
| Product | Securing PHP Web Applications |
|---|---|
| Company | Addison Wesley |
| Web | www.informit.com/aw |
| Price | £28.99 |
| We like | Excellent content, easy read, more than just PHP |
| We don't like | Nothing |
| Rating | 10/10 |
| Requirements |
Securing PHP Web Applications by Tricia and William Ballad is as the name suggests aimed at PHP developers. Accordingly, all code examples are in PHP but it also provides an excellent primer on general security considerations for all developers.
The book starts off with some general thoughts about application security pointing out that it's not just a case of setting up the server correctly, the application itself can do much to harden itself against attack. More importantly perhaps, the authors note that it is often small apparently unimportant applications that attract hackers as they often provide an easy way in to a system and once in, they can do anything.
The early chapters discuss at length issues such as SQL injections, buffer overruns, validating input and doing system calls as safely as possible. In each case, there are clear explanations of problems, examples of what can go wrong and what can be done to help defend against that eventuality. The book wisely notes that no system can be 100% safe but each technique adds a little more strength against hackers. The amount of code in the examples is actually quite small with few listings counting more than half a dozen lines making it easy to digest.
There is a particularly good section on using regular expressions to parse input - something of a black art to many but here there is enough to get developers using it effectively.
As the book progresses the authors explain validating users, session security and encryption in the same lucid way. Whereas most books on e.g. session management will cover what to do to achieve the basics, this one shows what can go wrong - session poisoning, session fixation and more.
The next few sections are gold dust for many and cover securing Apache, mySQL, IIS and SQL Server. The latter is quite a large section! This sort of information is often quite hard to find and getting all the major web hosting systems covered in one place is a real bonus.
Another useful section which is also fairly generic covers testing your applications for weaknesses using tools such as CAL9000 and PowerFuzzer. CAL9000 gets the most coverage but it's a powerful tool and not one I was previously aware of so this section was particularly interesting to me.
The book finishes off with guidelines on approaching application design and plugging holes in existing applications along with a glossary and list of useful web sites.
Conclusion
This is one of the best books I've read in some time. It's packed full of useful information, a fascinating read and full of real world experience of a sort that can take years to acquire to any level of competence. Well here it all is in one easy read. As such, Securing PHP Web Applications easily earns 10/10 and gets a firm recommendation for PHP programmers and non PHP programmers alike.
