With a multitude of technology-savvy users with unknown motives on the Internet, security is an ongoing process. A series of 5 articles by Clancy Malcolm and John Coggeshall and published by O'Reilly, the PHP Security Collection offers practical, solid advice to help secure your PHP scripts and applications. The first two articles penned by Malcolm, Ten Security Checks for PHP, Parts 1 and 2, point out 10 common security mistakes programmers make when writing their code. But, what is especially nice is the structure Malcom uses to convey this information: after pointing out a potential risk, he then goes on to identifies what type of code one should look for and suggests possible fixes or improvements. He explains SQL injection attacks, why global variables shouldn't be trusted, why the .php extension should be used for all script files as opposed to .inc or .class and more. Reading through the list helped me to identify some risks my own code had and to secure it. The final three articles penned by Coggeshall, PHP Security, Parts 1, 2 and 3, discuss the importance of security when programming with PHP. In part 1 he teaches it's important to be keep in mind how a malicious user could make a script behave in an unintended manner when writing the application. Coggeshall stresses outside data should never be trusted and sensitive data should not be stored in the web tree, and urges coders to implement the recommended security precautions found in the PHP manual. Coggeshall spends the most of part 2 getting "down and dirty" and showing how PHP system calls can be exploited and how they can be secured. Part 3 highlights the administrator's and programmer's most powerful (yet often neglected) tool of defense, the system logs. An appropriate error-logging mechanism is crucial for keeping runtime errors from revealing too much information about the internals of a script and yet still provide adequate information to developers. Common coding errors can leave an application vulnerable to attack, so it's important to "think like the bad guys" while writing your code. The 5 articles of O'Reilly's PHP Security Collections help a coder do just that. With comprehensive coverage of basic attacks to advanced attacks to defense, Malcolm's and Coggeshall's articles are a must read. | DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
More PHP Book Reviews Articles More By bluephoenix developerWorks - FREE Tools! | Learn field-tested SOA principles, methodology, technology and implementation from the global SOA market leader - in a new e-book by an IBM SOA expert. Written by IBM Certified SOA Solution Designer Bobby Woolf, "Exploring IBM SOA Technology & Practice" is the ultimate insider's guide to SOA - a PDF e-book packed cover to cover with IBM's specific advice on how to make your SOA implementation a success. FREE! Go There Now!
| | | | Effective governance for lean development isn’t about command and control. Instead, the focus is on enabling the right behaviors and practices through collaborative and supportive techniques. Hear from Scott Ambler on how it is far more effective to motivate people to do the right thing than it is to force them to do so. Learn how to form a lightweight, collaboration-based framework that reflects the realities of modern IT organizations. FREE! Go There Now!
| | | | Learn how you can extend modern application lifecycle management to IBM System z through the IBM Rational Software Delivery Platform (SDP). The Did you say mainframe? e-kit includes podcasts, webcasts, tutorials, white and red papers, demos, and articles designed to help ease the challenges of modernizing your enterprise. This complimentary kit for mainframe developers is a practical, how-to guide for making the most of an existing development environment, including the skills and infrastructure already in place at an established enterprise. FREE! Go There Now!
| | | | Visit IBM developerWorks to download IBM DB2 Express-C 9.5, a no-charge version of DB2 Express 9 database server. DB2 Express-C offers the same core data server base features as other DB2 Express editions and provides a solid base to build and deploy applications developed using C/C++, Java, .NET, PHP, and other programming languages. FREE! Go There Now!
| | | | Download the IBM WebSphere Portal V6.1 beta code and learn more about the rich features and enhancements in IBM WebSphere Portal V6.1. WebSphere Portal provides a composite application or business mashup framework and the advanced tooling needed to build flexible, SOA-based solutions, and scalability to meet the needs of any size organization. FREE! Go There Now!
| | | | Visit IBM developerWorks to download a free trial version of WebSphere Extended Deployment Compute Grid, which lets you schedule, execute, and monitor batch jobs. Because online transaction processing and batch jobs execute simultaneously on the same server resources, you can avoid costly duplication of resources. Compute Grid supports job types of Java transactional batch, compute-intensive and a new type called "native execution", which enables non-Java workloads to run on distributed end points. FREE! Go There Now!
| | | | Join us for this web seminar to learn how you can defend your web applications from attack. Learn about the 3 most common web application attacks, including how they occur and what can be done to prevent them. We’ll also discuss manual versus automated approaches for scanning and identifying web application vulnerabilities and how IBM Rational AppScan, an automated vulnerability scanner, can help you automate more of what you are doing manually today. FREE! Go There Now!
| | | | Join this webcast to see how IBM Data Studio Developer and pureQuery can take the pain out of Java data access. uApplications developed using both Java and SQL have become a common requirement. Database connectivity using Java Database Connectivity (JDBC) to create an application is a multi-step tedious process, and tooling that covers both SQL and Java has been unavailable, until now. IBM Data Studio introduces the pureQuery platform: a high-performance, Java data access platform focused on simplifying the tasks of developing, managing, and optimizing database applications and services. FREE! Go There Now!
| | | | Join this Rational Talks to You teleconference, to hear how Enterprise Generation Language (EGL) eliminates the need for tedious and error-prone low level coding, so developers can focus on business requirements. EGL extends the Rational software development platform with a simplified programming language that enables developers who have little or no experience with Java, Web technologies or Service Oriented Architecture, to create enterprise-class applications and services quickly and easily. It also allows developers who may have little or no mainframe programming experience to quickly create traditional mainframe components. FREE! Go There Now!
| | | | Explore how Rational and WebSphere software enable enterprise documentation in SOA environments. Specifically, a new integration between IBM WebSphere® Business Modeler and IBM Rational® Method Composer software can help technical writers more easily keep enterprise operations manuals in sync with changes that are made to business processes, resulting in more accurate and timely documentation that benefits the entire enterprise. FREE! Go There Now!
| | | | All FREE IBM® developerWorks Tools! | |