With a multitude of technology-savvy users with unknown motives on the Internet, security is an ongoing process. A series of 5 articles by Clancy Malcolm and John Coggeshall and published by O'Reilly, the PHP Security Collection offers practical, solid advice to help secure your PHP scripts and applications. The first two articles penned by Malcolm, Ten Security Checks for PHP, Parts 1 and 2, point out 10 common security mistakes programmers make when writing their code. But, what is especially nice is the structure Malcom uses to convey this information: after pointing out a potential risk, he then goes on to identifies what type of code one should look for and suggests possible fixes or improvements. He explains SQL injection attacks, why global variables shouldn't be trusted, why the .php extension should be used for all script files as opposed to .inc or .class and more. Reading through the list helped me to identify some risks my own code had and to secure it. The final three articles penned by Coggeshall, PHP Security, Parts 1, 2 and 3, discuss the importance of security when programming with PHP. In part 1 he teaches it's important to be keep in mind how a malicious user could make a script behave in an unintended manner when writing the application. Coggeshall stresses outside data should never be trusted and sensitive data should not be stored in the web tree, and urges coders to implement the recommended security precautions found in the PHP manual. Coggeshall spends the most of part 2 getting "down and dirty" and showing how PHP system calls can be exploited and how they can be secured. Part 3 highlights the administrator's and programmer's most powerful (yet often neglected) tool of defense, the system logs. An appropriate error-logging mechanism is crucial for keeping runtime errors from revealing too much information about the internals of a script and yet still provide adequate information to developers. Common coding errors can leave an application vulnerable to attack, so it's important to "think like the bad guys" while writing your code. The 5 articles of O'Reilly's PHP Security Collections help a coder do just that. With comprehensive coverage of basic attacks to advanced attacks to defense, Malcolm's and Coggeshall's articles are a must read. | DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More PHP Book Reviews Articles More By bluephoenix developerWorks - FREE Tools! | Learn field-tested SOA principles, methodology, technology and implementation from the global SOA market leader - in a new e-book by an IBM SOA expert. Written by IBM Certified SOA Solution Designer Bobby Woolf, "Exploring IBM SOA Technology & Practice" is the ultimate insider's guide to SOA - a PDF e-book packed cover to cover with IBM's specific advice on how to make your SOA implementation a success. FREE! Go There Now!
| | | | Attend this launch webcast with Scott Hebner, Vice President of IBM Rational Marketing and Strategy, for an overview of Rational’s new software offerings and resources to help modernize and accelerate software innovation on i on Power Systems – while ensuring past application investments are protected and continue to grow. Learn how these solutions are helping customers extend their core i5/OS solutions toward modern architectures such as SOA and web technologies to deliver business improvements that stand the test of time. FREE! Go There Now!
| | | | Visit IBM developerWorks to download a free trial version of Lotus Quickr 8.0, which enables collaboration by transforming the way everyday business content such as documents, rich media, photos, and video can be shared. Lotus Quickr makes it faster and easier to share content of all types (not just documents) within virtual teams. It is designed to make it easier to collaborate across organizational boundaries, while continuing to work within the context of familiar desktop applications. FREE! Go There Now!
| | | | Visit IBM developerWorks to download IBM DB2 Express-C 9.5, a no-charge version of DB2 Express 9 database server. DB2 Express-C offers the same core data server base features as other DB2 Express editions and provides a solid base to build and deploy applications developed using C/C++, Java, .NET, PHP, and other programming languages. FREE! Go There Now!
| | | | Visit IBM developerWorks to download a free trial version of IBM Rational Business Developer V7.1. Rational Business Developer offers rapid and simplified development of business applications and services through Enterprise Generation Language (EGL) tools, generating Java or mainframe solutions while shielding developers from technical complexities. FREE! Go There Now!
| | | | Join this Rational Talks to You teleconference on December 6 at 1:00 pm ET to participate in an agile application development discussion and get your questions answered on using IBM Rational Method Composer in a distributed environment.Get your questions answered! FREE! Go There Now!
| | | | Because access to government information continues to be an area of concern for many U.S. citizens with disabilities, the U.S. government enacted Section 508 of the Rehabilitation Act in 2001 to ensure that government agencies create accessible Web content, enabling all citizens to access the information they need. A fully accessible Web site makes Web content accessible to all individuals, including those with disabilities, who may be accessing Web content via a variety of user agents. Common user agents include standard Web browsers, text-only browsers, assistive devices and mobile devices such as cell phones or personal digital assistants (PDAs). FREE! Go There Now!
| | | | This whitepaper provides areas to consider when evaluating any software configuration management solution. It addresses how the IBM solutions (Rational ClearCase and Rational ClearQuest) meet the needs and requirements of both project leaders and developers to provide successful Software Change and Configuration Management. FREE! Go There Now!
| | | | Informix Dynamic Server (IDS) Express Edition offers outstanding online transaction processing (OLTP) database performance, while helping to simplify and automate many of the tasks associated with deploying databases for small business applications. IDS 11 further extends the ease of management and applications integration with the Admin API and Scheduler, high availability with Continuous Log Restore for backup server recovery in case of a primary server failure, and column level encryption to protect personal and company private data. FREE! Go There Now!
| | | | Visit IBM developerWorks to try the IBM SOA Sandbox for process. The SOA Sandbox for process focuses on providing a trial environment with the necessary tooling and components required to gain a better understanding of business processes and how to best improve existing business processes to derive value quickly. FREE! Go There Now!
| | | | All FREE IBM® developerWorks Tools! | |