The author doesn't get into the intestines of PHP security breaches. This book has some good examples for beginners with very pristine knowledge of PHP security at all. If you plan to maintain a better security system or even to gain knowledge on more elaborate, extensive infringements, this book will not deliver the goods. Technically, for a book on PHP, the author focuses way too much on IIS server-security, which is 90% irrelevant to PHP programmers.
The book guides you through building and strengthening a guest-book for a website. Now in spite of guest-books being almost extinct, this is a very simple example of PHP code, which plausibly doesn't require any intricate security mechanism. Hence the author almost excuses herself for not having gone TOO DEEP on security. Nevertheless, the author does not spare the reader when she verbosely describes general security topics.
If the author had indeed chosen to focus on a more implementable example and demonstrate viable security through and through, this would've been a really great book. So, if you're looking for more than Guest-Book intricacy, find something else.
Author(s): Tricia Ballad, William Ballad
Publisher: Addison-Wesley
Year: 2009
Language: English
Pages: 330
City: Upper Saddle River, NJ
Contents......Page 6
Acknowledgments......Page 14
About the Authors......Page 16
Part I: Web Development Is a Blood Sport—Don't Wander onto the Field Without a Helmet......Page 18
Reality Check......Page 20
Security Is a Server Issue......Page 22
Security Through Obscurity......Page 24
"My Application Isn’t Major Enough to Get Hacked”......Page 26
Wrapping It Up......Page 27
Part II: Is That Hole Really Big Enough to Drive a Truck Through?......Page 28
The Guestbook Application......Page 30
Users Do the Darnedest Things . . .......Page 32
Building an Error-Handling Mechanism......Page 36
Wrapping It Up......Page 43
Navigating the Dangerous Waters of exec(), system(), and Backticks......Page 44
Using escapeshellcmd() and escapeshellarg() to Secure System Calls......Page 47
Create an API to Handle All System Calls......Page 48
Patch the Guestbook Application......Page 49
Wrapping It Up......Page 51
Part III: What's In a Name? More Than You Expect......Page 52
What Is a Buffer, How Does It Overflow, and Why Should You Care?......Page 54
Prevent Buffer Overflows by Sanitizing Variables......Page 63
Patch the Application......Page 66
Wrapping It Up......Page 69
New Feature: Allow Users to Sign Their Guestbook Comments......Page 70
The Problem: Users Who Give You More Than You Asked For......Page 71
Assumptions: You Know What Your Data Looks Like......Page 72
The Solution: Regular Expressions to Validate Input......Page 74
Wrapping It Up......Page 84
Opening Files......Page 86
Creating and Storing Files......Page 90
Changing File Properties Safely......Page 93
Patching the Application to Allow User-Uploaded Image Files......Page 105
Wrapping It Up......Page 107
Part IV: “Aw come on man, you can trust me”......Page 110
What Is User Authentication?......Page 112
Privileges......Page 117
How to Authenticate Users......Page 118
Storing Usernames and Passwords......Page 132
Patching the Application to Authenticate Users......Page 134
Wrapping It Up......Page 137
What Is Encryption?......Page 138
Choosing an Encryption Type......Page 140
Patching the Application to Encrypt Passwords......Page 142
Wrapping It Up......Page 145
Major Types of Session Attacks......Page 146
Patching the Application to Secure the Session......Page 150
Wrapping It Up......Page 153
Reflected XSS......Page 154
Patching the Application to Prevent XSS Attacks......Page 155
Wrapping It Up......Page 156
Part V: Locking Up for the Night......Page 158
Programming Languages, Web Servers, and Operating Systems Are Inherently Insecure......Page 160
Securing a UNIX, Linux, or Mac OS X Environment......Page 161
Securing Apache......Page 164
Securing MySQL......Page 176
Wrapping It Up......Page 183
Securing a Windows Server Environment......Page 184
Securing IIS......Page 194
Securing SQL Server......Page 204
Wrapping It Up......Page 222
Using the Latest Version of PHP......Page 224
Using the Security Features Built into PHP and Apache......Page 230
Using ModSecurity......Page 232
Hardening php.ini......Page 233
Wrapping It Up......Page 235
Why Are We Talking About Testing in a Security Book?......Page 236
Testing Framework......Page 237
Types of Tests......Page 239
Choosing Solid Test Data......Page 240
Wrapping It Up......Page 241
What Is Exploit Testing?......Page 242
Fuzzing......Page 243
Testing Toolkits......Page 250
Proprietary Test Suites......Page 263
Wrapping It Up......Page 271
Part VI: “Don’t Get Hacked” Is Not a Viable Security Policy......Page 272
Before You Sit Down at the Keyboard . . .......Page 274
Identifying Points of Failure......Page 286
Wrapping It Up......Page 288
Set Up Your Environment......Page 290
Application Hardening Checklist......Page 293
Wrapping It Up......Page 295
Avoid Feature Creep......Page 296
Write Self-Documenting Code......Page 297
Use the Right Tools for the Job......Page 299
Have Your Code Peer-Reviewed......Page 300
Wrapping It Up......Page 301
PEAR......Page 302
Books......Page 303
Web Sites......Page 304
Automated Testing Tools......Page 305
C......Page 306
P......Page 307
S......Page 308
W......Page 309
A......Page 310
C......Page 312
D......Page 313
F......Page 314
H......Page 315
I......Page 316
M......Page 317
P......Page 318
S......Page 320
T......Page 322
U......Page 323
W......Page 324
Z......Page 325