O’Reilly news

Essential PHP Security: A Guide to Building Secure Web Applications

November 17, 2005

Sebastopol, CA--With PHP's transition from a set of tools for personal home page development to the world's most popular web programming language, PHP developers have acquired some new concerns, such as performance, maintainability, scalability, reliability, and--perhaps most important--security. "Traditionally, security has been a topic of concern for network, database, and systems engineers," says Chris Shiflett, author of the new book Essential PHP Security (O'Reilly, US $29.95). "Over time, there has been a shift in focus up the protocol stack, and web developers now find themselves primarily responsible for the security of critical applications."

As Shiflett explains, unlike language features such as conditional expressions and looping constructs, security is abstract. He says that it is not so much a characteristic of a language as it is a characteristic of a developer: no language can prevent insecure code, although there are language features that can aid or hinder a security conscious developer. His book teaches developers how to write secure PHP code, however, the topics and techniques can easily apply to all web development technologies.

Andi Gutmans, PHP architect and co-founder of Zend Technologies, writes in his foreword to the book that security is crucial for PHP. "Recently, there have been numerous security alerts around PHP. But, in fact, the majority of them are not a result of flaws in PHP itself, but are due to improper and insecure uses of PHP by applications developers." says Gutmans. He says that, unlike in the Java or .NET space, the PHP community releases dozens of PHP applications to the open source community, such as content management systems, e-commerce systems, and forums. When security bugs appear in those applications, they are often confused with the PHP technology itself, hurting the perception of PHP in the marketplace.

It's no easy task to ensure that all PHP developers are up-to-speed with security practices, a task exacerbated by lack of materials dedicated to the subject and no simple rules for dos and don'ts. But there is hope, as Gutmans points out: "Chris Shiflett, the author of this book, has dedicated his career to improving PHP application level-security. With Essential PHP Security Chris brings long-needed security guidelines to PHP developers everywhere."

This much needed, much requested book explains the most common types of attacks and how to write code that can withstand them. Each chapter in the book covers an aspect of web application (such as form processing, database programming, session management, and authentication). The chapters provide examples of potential attacks and then explain techniques to prevent those attacks. Topics covered include:

  • Preventing cross-site scripting (XSS) vulnerabilities
  • Protecting against SQL injection attacks
  • Complicating session hijacking attempts
  • Given the growing frequency of attacks on web sites, it's more critical than ever to know how to write code that isn't susceptible. This focused book offers developers a deeper understanding and appreciation of the safeguards they can put in place.

    Additional Resources:

    Essential PHP Security
    Chris Shiflett
    ISBN: 0-596-00656-X, 109 pages, $29.95 US
    1-800-998-9938; 1-707-827-7000

    About O’Reilly

    O’Reilly Media spreads the knowledge of innovators through its books, online services, magazines, and conferences. Since 1978, O’Reilly Media has been a chronicler and catalyst of cutting-edge development, homing in on the technology trends that really matter and spurring their adoption by amplifying “faint signals” from the alpha geeks who are creating the future. An active participant in the technology community, the company has a long history of advocacy, meme-making, and evangelism.

    Email a link to this press release