Book Review: "Essential PHP Security"


Essential PHP Security by Chris Shiflett is a pretty solid book as far as web application security and PHP goes, and it was recommended to me by Turbo Borland, so you really can't go wrong with this one. This is a book for php programers, web developers, web pen-testers, and those looking to brush up on the general theory of web security. The book is roughly 100 pages, cheap on Amazon, and a bit more pricy through O'Reilly. The book even sports it's own website, which includes things like reviews, outlines, errata, and all the code from the book. As many of the other reviews have stated, this book does cover mostly issues that experienced info-sec professionals will already be aware of, and this book may be too introductory for them. Overall, I give this book 6 out of 10 stars, for covering the theory in an excellent manner and providing tons of great code examples, however it falls short in it's depth of coverage and more advanced PHP vulnerabilities. My favorite parts of the book are how Chris consistently instills core info-sec theory, such as defense in depth (he shows you how to set up multiple safeguards, in case some are bypassed) and not trusting raw user input (sanitize all user input and whitelist choices where possible). The following is Chris's own table of contents, reprinted here for connivence of those considering purchasing this book:

Chapter 1: Introduction

Gives an overview of security principles and best practices. This chapter provides the foundation for the rest of the book.
  • PHP Features
  • Principles
  • Practices

Chapter 2: Forms and URLs

Covers form processing and attacks such as cross-site scripting and cross-site request forgeries.
  • Forms and Data
  • Semantic URL Attacks
  • File Upload Attacks
  • Cross-Site Scripting
  • Cross-Site Request Forgeries
  • Spoofed Form Submissions
  • Spoofed HTTP Requests

Chapter 3: Databases and SQL

Focuses on using databases and attacks such as SQL injection.
  • Exposed Access Credentials
  • SQL Injection
  • Exposed Data

Chapter 4: Sessions and Cookies

Explains PHP's session support and shows you how to protect your applications from attacks such as session fixation and session hijacking.
  • Cookie Theft
  • Exposed Session Data
  • Session Fixation
  • Session Hijacking

Chapter 5: Includes

Covers the risks associated with the use of includes, such as backdoor URLs and code injection.
  • Exposed Source Code
  • Backdoor URLs
  • Filename Manipulation
  • Code Injection

Chapter 6: Files and Commands

Discusses attacks such as filesystem traversal and command injection.
  • Traversing the Filesystem
  • Remote File Risks
  • Command Injection

Chapter 7: Authentication and Authorization

Helps you create secure authentication and authorization mechanisms and protect your applications from things like brute force attacks and replay attacks.
  • Brute Force Attacks
  • Password Sniffing
  • Replay Attacks
  • Persistent Logins

Chapter 8: Shared Hosting

Explains the inherent risks associated with a shared hosting environment. You are shown how to avoid the exposure of your source code and session data, as well as how to protect your applications from attacks such as session injection.
  • Exposed Source Code
  • Exposed Session Data
  • Session Injection
  • Filesystem Browsing
  • Safe Mode

Appendix A: Configuration Directives

Provides a short and focused list of configuration directives that deserve particular attention.

Appendix B: Functions

Offers a brief list of functions with which you should be concerned.

Appendix C: Cryptography

Focuses on symmetric cryptography and shows you how to safely store passwords and encrypt data in a database or session data store.


You can view a sample of the book here, as well as download chapters 2 (forms and urls) and 4 (sessions and cookies) for free. At the very least, I urge you to check out the online code examples, which come in both colorized form and raw text (so you can use these as your own secure php cheat sheet!)