With a multitude of technology-savvy users with unknown motives on the Internet, security is an ongoing process. A series of 5 articles by Clancy Malcolm and John Coggeshall and published by O'Reilly, the PHP Security Collection offers practical, solid advice to help secure your PHP scripts and applications. The first two articles penned by Malcolm, Ten Security Checks for PHP, Parts 1 and 2, point out 10 common security mistakes programmers make when writing their code. But, what is especially nice is the structure Malcom uses to convey this information: after pointing out a potential risk, he then goes on to identifies what type of code one should look for and suggests possible fixes or improvements. He explains SQL injection attacks, why global variables shouldn't be trusted, why the .php extension should be used for all script files as opposed to .inc or .class and more. Reading through the list helped me to identify some risks my own code had and to secure it. The final three articles penned by Coggeshall, PHP Security, Parts 1, 2 and 3, discuss the importance of security when programming with PHP. In part 1 he teaches it's important to be keep in mind how a malicious user could make a script behave in an unintended manner when writing the application. Coggeshall stresses outside data should never be trusted and sensitive data should not be stored in the web tree, and urges coders to implement the recommended security precautions found in the PHP manual. Coggeshall spends the most of part 2 getting "down and dirty" and showing how PHP system calls can be exploited and how they can be secured. Part 3 highlights the administrator's and programmer's most powerful (yet often neglected) tool of defense, the system logs. An appropriate error-logging mechanism is crucial for keeping runtime errors from revealing too much information about the internals of a script and yet still provide adequate information to developers. Common coding errors can leave an application vulnerable to attack, so it's important to "think like the bad guys" while writing your code. The 5 articles of O'Reilly's PHP Security Collections help a coder do just that. With comprehensive coverage of basic attacks to advanced attacks to defense, Malcolm's and Coggeshall's articles are a must read. | DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More PHP Book Reviews Articles More By bluephoenix developerWorks - FREE Tools! | <a href="http://zeus.developershed.com/shonuff.php?blackbird=3853&zoneid=442&source=&dest=http%3A%2F%2Fwww.ibm.com%2Fdeveloperworks%2Fspaces%2Fjazz%3FS_TACT%3D105AGY31%26S_CMP%3DDEVSHED&ismap="><img src="http://images.devshed.com/corp/img/news/jazz01.gif" alt="developerWorks Jazz space" align="left"></a>You've heard the buzz about Jazz... want to know more about it from a developer's perspective? Check out the Jazz space on developerWorks. This space is an up-to-date resource for developers, including technical information about Jazz and products built on Jazz, like Rational Team Concert Express. The Jazz space includes content from a wide variety of sources, including links, feeds, and comments from experts. FREE! Go There Now!
| | | | Effective governance for lean development isn’t about command and control. Instead, the focus is on enabling the right behaviors and practices through collaborative and supportive techniques. Hear from Scott Ambler on how it is far more effective to motivate people to do the right thing than it is to force them to do so. Learn how to form a lightweight, collaboration-based framework that reflects the realities of modern IT organizations. FREE! Go There Now!
| | | | Visit IBM developerWorks to download a free trial version of WebSphere Business Modeler Advanced V6.1.1, IBM’s premier business process modeling and analysis tool for business users that offers process modeling, simulation, and analysis capabilities. IBM WebSphere Business Modeler helps you visualize, understand, and document business processes for continuous improvement. FREE! Go There Now!
| | | | IBM Enterprise Modernization solutions help organizations evolve core IT systems towards modern architectures and technologies—reducing the burden of maintenance and freeing up resources to develop new business requirements and capabilities. With the IBM Enterprise Modernization Sandbox for System z you can evaluate IBM Enterprise Modernization solutions focused on five key areas: Assets, Architectures, Skills, Processes and Infrastructures, and Investment. Each solution is based upon real customer experiences and offers a proven path to get you started with your modernization projects. FREE! Go There Now!
| | | | Analysts, architects, and developers who have existing COBOL or PL/I skills and want to extend those skills to deploy new workloads on the mainframe can use the IBM Enterprise Modernization Sandbox for System z to find hands-on walkthroughs of common real world scenarios. The scenarios provide examples of how to rapidly design, create, assemble, test, and deploy high-quality Web, Web services, portal, and SOA applications for IBM CICS, IBM IMS, and IBM WebSphere Application Server. FREE! Go There Now!
| | | | Join this Rational Talks to You teleconference on November 29 at 1:00 pm ET to participate in an interactive discusssion with Grady Booch around architecture and reuse. Get your questions answered! FREE! Go There Now!
| | | | This paper is about the critical role that a discipline called integrated requirements management can play in helping to ensure that your business goals and IT investments are continuously aligned—whether you are sourcing, integrating, building or maintaining software. It also looks at ways that automated IBM Rational® products can work together to help you use requirements in the very best way. FREE! Go There Now!
| | | | Visit IBM developerWorks to try the IBM SOA Sandbox for process. The SOA Sandbox for process focuses on providing a trial environment with the necessary tooling and components required to gain a better understanding of business processes and how to best improve existing business processes to derive value quickly. FREE! Go There Now!
| | | | Join this webcast to learn how IBM Rational's Functional Testing solution enables you to implement automation your way, at your pace, with your existing staff. In this webcast, you’ll learn how you can eliminate redundancy of manual test scripts, reduce errors, and increase test coverage through test automation. After this presentation you will understand how IBM Rational Functional Testing solution can streamline your manual testing and make test automation easily attainable. FREE! Go There Now!
| | | | Viper 2 brings a great value to developer communities including SQL, XML, PHP, Ruby, .NET and Java. You probably already know that DB2 Express-C is free for developers to develop, deploy and distribute. Viper 2 provides a variety of means that help move your application from the development stage to deployment more rapidly. This webcast shows how to best utilize the latest tools available for developing DB2 applications. FREE! Go There Now!
| | | | All FREE IBM® developerWorks Tools! | |