β Scribed by Ballad, Tricia;Ballad, William
No coin nor oath required. For personal study only.
Easy, Powerful Code Security Techniques for Every PHP Developer Hackers specifically target PHP Web applications. Why? Because they know many of these apps are written by programmers with little or no experience or training in software security." Don t be victimized. Securing PHP Web Applications " will help you master the specific techniques, skills, and best practices you need to write rock-solid PHP code and harden the PHP software you re already using. Drawing on more than fifteen years of experience in Web development, security, and training, Tricia and William Ballad show how security flaws can find their way into PHP code, and they identify the most common security mistakes made by PHP developers. The authors present practical, specific solutions techniques that are surprisingly easy to understand and use, no matter what level of PHP programming expertise you have. "Securing PHP Web Applications" covers the most important aspects of PHP code security, from error handling and buffer overflows to input validation and filesystem access. The authors explode the myths that discourage PHP programmers from attempting to secure their code and teach you how to instinctively write more secure code without compromising your software s performance or your own productivity. Coverage includes
Designing secure applications from the very beginning and plugging holes in applications you can t rewrite from scratch Defending against session hijacking, fixation, and poisoning attacks that PHP can t resist on its own Securing the servers your PHP code runs on, including specific guidance for Apache, MySQL, IIS/SQL Server, and more Enforcing strict authentication and making the most of encryption Preventing dangerous cross-site scripting (XSS) attacks Systematically testing yourapplications for security, including detailed discussions of exploit testing and PHP test automation Addressing known vulnerabilities in the third-party applications you re already running Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals, and more. Whether you write Web applications professionally or casually, or simply use someone else s PHP scripts, you need this book and you need it now, before the hackers find you!"
Cover......Page 1
Contents......Page 6
Acknowledgments......Page 14
About the Authors......Page 16
Part I: Web Development Is a Blood SportβDon't Wander onto the Field Without a Helmet......Page 18
Reality Check......Page 20
Security Is a Server Issue......Page 22
Security Through Obscurity......Page 24
"My Application Isnβt Major Enough to Get Hackedβ......Page 26
Wrapping It Up......Page 27
Part II: Is That Hole Really Big Enough to Drive a Truck Through?......Page 28
The Guestbook Application......Page 30
Users Do the Darnedest Things . . .......Page 32
Building an Error-Handling Mechanism......Page 36
Wrapping It Up......Page 43
Navigating the Dangerous Waters of exec(), system(), and Backticks......Page 44
Using escapeshellcmd() and escapeshellarg() to Secure System Calls......Page 47
Create an API to Handle All System Calls......Page 48
Patch the Guestbook Application......Page 49
Wrapping It Up......Page 51
Part III: What's In a Name? More Than You Expect......Page 52
What Is a Buffer, How Does It Overflow, and Why Should You Care?......Page 54
Prevent Buffer Overflows by Sanitizing Variables......Page 63
Patch the Application......Page 66
Wrapping It Up......Page 69
New Feature: Allow Users to Sign Their Guestbook Comments......Page 70
The Problem: Users Who Give You More Than You Asked For......Page 71
Assumptions: You Know What Your Data Looks Like......Page 72
The Solution: Regular Expressions to Validate Input......Page 74
Wrapping It Up......Page 84
Opening Files......Page 86
Creating and Storing Files......Page 90
Changing File Properties Safely......Page 93
Patching the Application to Allow User-Uploaded Image Files......Page 105
Wrapping It Up......Page 107
Part IV: βAw come on man, you can trust meβ......Page 110
What Is User Authentication?......Page 112
Privileges......Page 117
How to Authenticate Users......Page 118
Storing Usernames and Passwords......Page 132
Patching the Application to Authenticate Users......Page 134
Wrapping It Up......Page 137
What Is Encryption?......Page 138
Choosing an Encryption Type......Page 140
Patching the Application to Encrypt Passwords......Page 142
Wrapping It Up......Page 145
Major Types of Session Attacks......Page 146
Patching the Application to Secure the Session......Page 150
Wrapping It Up......Page 153
Reflected XSS......Page 154
Patching the Application to Prevent XSS Attacks......Page 155
Wrapping It Up......Page 156
Part V: Locking Up for the Night......Page 158
Programming Languages, Web Servers, and Operating Systems Are Inherently Insecure......Page 160
Securing a UNIX, Linux, or Mac OS X Environment......Page 161
Securing Apache......Page 164
Securing MySQL......Page 176
Wrapping It Up......Page 183
Securing a Windows Server Environment......Page 184
Securing IIS......Page 194
Securing SQL Server......Page 204
Wrapping It Up......Page 222
Using the Latest Version of PHP......Page 224
Using the Security Features Built into PHP and Apache......Page 230
Using ModSecurity......Page 232
Hardening php.ini......Page 233
Wrapping It Up......Page 235
Why Are We Talking About Testing in a Security Book?......Page 236
Testing Framework......Page 237
Types of Tests......Page 239
Choosing Solid Test Data......Page 240
Wrapping It Up......Page 241
What Is Exploit Testing?......Page 242
Fuzzing......Page 243
Testing Toolkits......Page 250
Proprietary Test Suites......Page 263
Wrapping It Up......Page 271
Part VI: βDonβt Get Hackedβ Is Not a Viable Security Policy......Page 272
Before You Sit Down at the Keyboard . . .......Page 274
Identifying Points of Failure......Page 286
Wrapping It Up......Page 288
Set Up Your Environment......Page 290
Application Hardening Checklist......Page 293
Wrapping It Up......Page 295
Avoid Feature Creep......Page 296
Write Self-Documenting Code......Page 297
Use the Right Tools for the Job......Page 299
Have Your Code Peer-Reviewed......Page 300
Wrapping It Up......Page 301
PEAR......Page 302
Books......Page 303
Web Sites......Page 304
Automated Testing Tools......Page 305
C......Page 306
P......Page 307
S......Page 308
W......Page 309
A......Page 310
C......Page 312
D......Page 313
F......Page 314
H......Page 315
I......Page 316
M......Page 317
P......Page 318
S......Page 320
T......Page 322
U......Page 323
W......Page 324
Z......Page 325
Computer Science;Programming
π SIMILAR VOLUMES
It is a very good book which covers all aspects of creating a secure PHP web application
<P style="MARGIN: 0px"> <B>Easy, Powerful Code Security Techniques for Every PHP Developer</B> </P> <P style="MARGIN: 0px">Β </P> <P style="MARGIN: 0px">Hackers specifically target PHP Web applications. Why? Because they know many of these apps are written by programmers with little or no experienc
The author doesn't get into the intestines of PHP security breaches. This book has some good examples for beginners with very pristine knowledge of PHP security at all. If you plan to maintain a better security system or even to gain knowledge on more elaborate, extensive infringements, this book wi