LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Announcements page

Sponsored link

Vyatta – Linux & Open Source Alternative to Cisco – Advanced Routing, Firewall, VPN, QoS..
Free Download ->

Recent Features

LWN.net Weekly Edition for November 20, 2008

MinGW and why Linux users should care

LWN.net Weekly Edition for November 13, 2008

NLUUG/ELCE: Embedded devices and free software

The sad story of the em28xx driver

Printable page
Weekly edition Kernel Security Distributions Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ

Essential PHP Security - O'Reilly's Latest Release

[Posted November 21, 2005 by cook]

From:  "Kathryn Barrett" <kathrynb-AT-oreilly.com>
To:  lwn-AT-lwn.net
Subject:  Essential PHP Security - O'Reilly's Latest Release
Date:  Thu, 17 Nov 2005 15:29:57 -0800

For Immediate Release
For more information, a review copy, cover art, or an interview with
the author, contact:
Kathryn Barrett (707) 827-7094 or kathrynb@oreilly.com

A Guide to Building Secure Web Applications
O'Reilly Releases "Essential PHP Security"

Sebastopol, CA--With PHP's transition from a set of tools for personal
home page development to the world's most popular web programming
language, PHP developers have acquired some new concerns, such as
performance, maintainability, scalability, reliability, and--perhaps most
important--security. "Traditionally, security has been a topic of concern
for network, database, and systems engineers," says Chris Shiflett, author
of the new book "Essential PHP Security" (O'Reilly, US $29.95).  "Over
time, there has been a shift in focus up the protocol stack, and web
developers now find themselves primarily responsible for the security of
critical applications."

As Shiflett explains, unlike language features such as conditional
expressions and looping constructs, security is abstract. He says that it
is not so much a characteristic of a language as it is a characteristic of
a developer: no language can prevent insecure code, although there are
language features that can aid or hinder a security conscious developer.
His book teaches developers how to write secure PHP code, however, the
topics and techniques can easily apply to all web development
technologies.

Andi Gutmans, PHP architect and co-founder of Zend Technologies, writes in
his foreword to the book that security is crucial for PHP. "Recently,
there have been numerous security alerts around PHP. But, in fact, the
majority of them are not a result of flaws in PHP itself, but are due to
improper and insecure uses of PHP by applications developers." says
Gutmans.  He says that, unlike in the Java or .NET space, the PHP
community releases dozens of PHP applications to the open source
community, such as content management systems, e-commerce systems, and
forums. When security bugs appear in those applications, they are often
confused with the PHP technology itself, hurting the perception of PHP in
the marketplace.

It's no easy task to ensure that all PHP developers are up-to-speed with
security practices, a task exacerbated by lack of materials dedicated to
the subject and no simple rules for dos and don'ts. But there is hope, as
Gutmans points out: "Chris Shiflett, the author of this book, has
dedicated his career to improving PHP application level-security. With
'Essential PHP Security' Chris brings long-needed security guidelines to
PHP developers everywhere."

This much needed, much requested book explains the most common types of
attacks and how to write code that can withstand them. Each chapter in the
book covers an aspect of web application (such as form processing,
database programming, session management, and authentication). The
chapters provide examples of potential attacks and then explain techniques
to prevent those attacks. Topics covered include:

-Preventing cross-site scripting (XSS) vulnerabilities
-Protecting against SQL injection attacks
-Complicating session hijacking attempts

Given the growing frequency of attacks on web sites, it's more critical
than ever to know how to write code that isn't susceptible. This focused
book offers developers a deeper understanding and appreciation of the
safeguards they can put in place.

Additional Resources:

Chapter 4, "Sessions and Cookies," is available online at:
http://www.oreilly.com/catalog/phpsec/chapter/index.html

For more information about the book, including table of contents, index,
author bio, and samples, see:
http://www.oreilly.com/catalog/phpsec/

For a cover graphic in JPEG format, go to:
ftp://ftp.ora.com/pub/graphics/book_covers/hi-res/0596006...

Essential PHP Security
Chris Shiflett
ISBN: 0-596-00656-X, 109 pages, $29.95 US, $41.95 CA
order@oreilly.com
1-800-998-9938
1-707-827-7000
http://www.oreilly.com
1005 Gravenstein Highway North
Sebastopol, CA 95472

About O'Reilly
O'Reilly Media, Inc. is the premier information source for leading-edge
computer technologies. The company's books, conferences, and web sites
bring to light the knowledge of technology innovators. O'Reilly books,
known for the animals on their covers, occupy a treasured place on the
shelves of the developers building the next generation of software.
O'Reilly conferences and summits bring alpha geeks and forward-thinking
business leaders together to shape the revolutionary ideas that spark new
industries. From the Internet to XML, open source, .NET, Java, and web
services, O'Reilly puts technologies on the map. For more information:
http://www.oreilly.com

# # #

O'Reilly is a registered trademark of O'Reilly Media, Inc. All other
trademarks are property of their respective owners.
(Log in to post comments)

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds