β Scribed by Ilia Alshanetsky, Rasmus Lerdorf
No coin nor oath required. For personal study only.
With the number of security flaws and exploits discovered and released every day constantly on the rise, knowing how to write secure and reliable applications is become more and more important every day. Written by Ilia Alshanetsky, one of the foremost experts on PHP security in the world, php|architect's Guide to PHP Security focuses on providing you with all the tools and knowledge you need to both secure your existing applications and writing new systems with security in mind. This book gives you a step-by-step guide to each security-related topic, providing you with real-world examples of proper coding practices and their implementation in PHP in an accurate, concise and complete way. Provides techniques applicable to any version of PHP, including 4.x and 5.x Includes a step-by-step guide to securing your applications Includes a comprehensive coverage of security design Teaches you how to defend yourself from hackers Shows you how to distract hackers with a "tar pit" to help you fend off potential attacks"
Foreword......Page 14
Introduction......Page 18
Input Validation......Page 22
The Trouble with Input......Page 23
The Constant Solution......Page 26
The $_REQUEST Trojan Horse......Page 28
Validating Numeric Data......Page 29
Locale Troubles......Page 30
String Validation......Page 31
Content Size Validation......Page 35
White List Validation......Page 37
Configuration Settings......Page 38
File Input......Page 39
File Content Validation......Page 40
Accessing Uploaded Data......Page 42
File Size......Page 43
The Dangers of Magic Quotes......Page 44
Magic Quotes Normalization......Page 45
Magic Quotes & Files......Page 47
Validating Serialized Data......Page 48
External Resource Validation......Page 50
Cross-Site Scripting Prevention......Page 54
Handling Attributes......Page 55
HTML Entities & Filters......Page 57
Exclusion Approach......Page 61
Handling Valid Attributes......Page 64
URL Attribute Tricks......Page 65
IP Address Information......Page 67
Script Location......Page 68
More Severe XSS Exploits......Page 69
Cookie/Session Theft......Page 70
Form Data Theft......Page 71
Changing Page Content......Page 72
SQL Injection......Page 74
Magic Quotes......Page 75
Prepared Statements......Page 76
No Means of Escape......Page 78
The LIKE Quandary......Page 79
SQL Error Handling......Page 80
Authentication Data Storage......Page 81
Maintaining Performance......Page 84
Query Caching......Page 86
Preventing Code Injection......Page 88
Using Full Paths......Page 89
Possible Dangers of Remote File Access......Page 90
Validating File Names......Page 92
Securing Eval......Page 95
Dynamic Functions and Variables......Page 96
Code Injection via PCRE......Page 98
Command Injection......Page 102
Resource Exhaustion via Command Injection......Page 103
The PATH Exploit......Page 105
Hidden Dangers......Page 106
Application Bugs and Setting Limits......Page 107
PHP Execution Process......Page 109
Session Security......Page 114
Man in the Middle Attacks......Page 115
URL Sessions......Page 116
Surviving Attacks......Page 118
Native Protection Mechanism......Page 119
Expiry Time Tricks......Page 120
Server Side Expiry Mechanisms......Page 121
Mixing Security and Convenience......Page 122
Securing Session Storage......Page 123
Session ID Rotation......Page 127
IP Based Validation......Page 129
Browser Signature......Page 130
Referrer Validation......Page 131
User Education......Page 132
Securing File Access......Page 136
The Dangers of βWorldwideβ Access......Page 137
PHP Encoders......Page 138
Manual Encryption......Page 139
Open Base Directory......Page 140
Securing Write Access......Page 141
File Signature......Page 143
Safe Mode......Page 144
An Alternate PHP Execution Mechanism......Page 145
FastCGI......Page 146
Shared Hosting Woes......Page 147
File Masking......Page 148
Words of Caution......Page 154
Hide Your Files......Page 155
Obscure Compiled Templates......Page 157
Obscure Field Names......Page 159
Field Name Randomization......Page 160
Use POST......Page 161
HTML Comments......Page 162
Software Identification......Page 163
Sandboxes and Tar Pits......Page 166
Building a Sandbox......Page 167
Tracking Passwords......Page 168
Identify the Source of the Attack Source......Page 170
Find Routing Information......Page 171
Limitations with IP Addresses......Page 172
Record the Referring URL......Page 174
Capture all Input Data......Page 175
Build a Tar Pit......Page 177
Securing Your Applications......Page 180
Replace the Usage of Register Globals......Page 181
Avoid $_REQUEST......Page 182
Disable Magic Quotes......Page 183
Improve SQL Security......Page 184
Prevent Code Injection......Page 185
Watch Out for Dynamic Names......Page 186
Minimize the Use of External Commands......Page 187
Obfuscate and Prepare a Sandbox......Page 188
Index......Page 190
π SIMILAR VOLUMES
Overall, an excellent resource for security. It's small size means that that topics are narrow enough to be digested and acted upon individually.
Overall, an excellent resource for security. It's small size means that that topics are narrow enough to be digested and acted upon individually.
With the number of security flaws and exploits discovered and released every day constantly on the rise, knowing how to write secure and reliable applications is become more and more important every day. Written by Ilia Alshanetsky, one of the foremost experts on PHP security in the world, php|ar
I'm relatively new to objects and design patterns and have been learning them for only the last 4 months. As most people know PHP 5 was the first iteration of a half way decent obeject implementation in PHP. Therefore there is just now beginning to be OO related design books on the market for this f
I'm relatively new to objects and design patterns and have been learning them for only the last 4 months. As most people know PHP 5 was the first iteration of a half way decent obeject implementation in PHP. Therefore there is just now beginning to be OO related design books on the market for this f
This is the only book you will need to help you through the rough spots when migrating your PHP apps from PHP4 to PHP5. Not only is this an extremely comprehensive and in-depth resource, it will show you virtually every pitfall you may encounter and will undoubtedly make your migration as smooth as