Book Review: "Wicked Cool PHP"
My biggest problems with this book are the numerous security issues that if newbies actually followed they would end up in trouble. PHP gets a bad reputation for giving new learners just enough rope to hang themselves and this book exemplifies that. For example, the single entry on SQL injection, Script #19, advises to use the depreciated 'mysql_real_escape_string()', which is still vulnerable to multiple types of sql injection, vs using prepared statements, as I've detailed on this blog with PDO. Another one which was just laughable was Script #60, Forcing a User to Use SSL-Encrypted Pages, only checks to see if the server is running over port 443 (which newbies should understand that protocols can run on any port), vs using the $_SERVER['HTTPS'] variable to check that the HTTPS protocol is being used or even better setting an HSTS cookie with PHP. Another potentially vulnerable mistake can be found in Script #5, which promotes the notorious unserialize function, which makes for a fun exercise. The final one I'll mention is Script #66, Creating a CAPTCHA (Security) Image. These shouldn't be considered secure and rather it should be a script such as implementing Google's reCAPTCH. There are many more examples throughout the book (tons of home-brewed input filters), but despite all of that I would like to say that I appreciate how the book constantly reminds the user of security theory and best practices, lessons which I stand behind.
As with most of my book reviews, the following is a modified table of contents, so that you can get a good idea of all the chapters and scripts included:
Introduction
Chapter 1: The FAQs Of Life — The Scripts Every PHP Programmer Wants (Or Needs) To Know
Script #1: Including Another File as a Part of Your ScriptScript #2: Highlighting Alternate Row Colors in a Table
Script #3: Creating Previous/Next Links
Script #4: Printing the Contents of an Array
Script #5: Turning an Array into a Nonarray Variable That Can Be Restored Later
Script #6: Sorting Multidimensional Arrays
Script #7: Templating Your Site with Smarty
Chapter 2: CONFIGURING PHP
Configuration Settings and the php.ini FileLocating Your php.ini File
Script #8: Revealing All of PHP’s Settings
Script #9: Reading an Individual Setting
Script #10: Error Reporting
Script #11: Suppressing All Error Messages
Script #12: Extending the Run Time of a Script
Script #13: Preventing Users from Uploading Large Files
Script #14: Turning Off Registered Global Variables
Script #15: Enabling Magic Quotes
Script #16: Restricting the Files that PHP Can Access
Script #17: Shutting Down Specific Functions
Script #18: Adding Extensions to PHP
Adding PHP Extensions
Installing Extensions with a Web-Based Control Panel
Chapter 3: PHP Security
Recommended Security Configuration OptionsScript #19: SQL Injection Attacks
Script #20: Preventing Basic XSS Attacks
Script #21: Using SafeHTML
Script #22: Protecting Data with a One-Way Hash
Script #23: Encrypting Data with Mcrypt
Script #24: Generating Random Passwords
Chapter 4: Working With Forms
Security Measures: Forms Are Not TrustworthyVerification Strategies
Using $_POST, $_GET, $_REQUEST, and $_FILES to Access Form Data
Script #25: Fetching Form Variables Consistently and Safely
Script #26: Trimming Excess Whitespace
Script #27: Importing Form Variables into an Array
Script #28: Making Sure a Response Is One of a Set of Given Values
Script #29: Using Multiple Submit Buttons
Script #30: Validating a Credit Card
Script #31: Double-Checking a Credit Card’s Expiration Date
Script #32: Checking Valid Email Addresses
Script #33: Checking American Phone Numbers
Chapter 5: Working With Text And HTML
Script #34: Extracting Part of a StringScript #35: Making a String Uppercase, Lowercase, or Capitalized
Script #36: Finding Substrings
Script #37: Replacing Substrings
Script #38: Finding and Fixing Misspelled Words with pspell
Working with the Default Dictionary
Adding a Custom Dictionary to pspell
Script #39: Regular Expressions
Regular Expression Basics
Special Character Sequences
Pattern Repeaters
Grouping
Character Classes
Putting It All Together
Matching and Extracting with Regular Expressions
Replacing Substrings with Regular Expressions
Script #40: Rearranging a Table
Script #41: Creating a Screen Scraper
Script #42: Converting Plaintext into HTML-Ready Markup
Script #43: Automatically Hyperlinking URLs
Script #44: Stripping HTML Tags from Strings
Chapter 6: Working With Dates
How Unix Time WorksScript #45: Getting the Current Timestamp
Script #46: Getting the Timestamp of a Date in the Past or Future
Creating Timestamps from a String
Creating Timestamps from Date Values
Script #47: Formatting Dates and Times
Script #48: Calculating the Day of the Week from a Given Date
Script #49: Finding the Difference Between Two Dates
MySQL Date Formats
Chapter 7: Working With Files
File PermissionsPermissions with an FTP Program
The Command Line
Script #50: Placing a File’s Contents into a Variable
Script #51: Creating and Writing to a File
Script #52: Checking to See If a File Exists
Script #53: Deleting Files
Script #54: Uploading Images to a Directory
Script #55: Reading a Comma-Separated File
Chapter 8: User And Session Tracking
Using Cookies and Sessions to Track User DataCookies
Sessions
Script #56: Creating a “Welcome Back, Username!” Message with Cookies
Script #57: Using Sessions to Temporarily Store Data
Script #58: Checking to See If a User’s Browser Accepts Cookies
Script #59: Redirecting Users to Different Pages
Script #60: Forcing a User to Use SSL-Encrypted Pages
Script #61: Extracting Client Information
Script #62: Session Timeouts
Script #63: A Simple Login System
Chapter 9: Working With Email
Script #64: Using PHPMailer to Send MailScript #65: Using Email to Verify User Accounts
Chapter 10: Working With Images
Script #66: Creating a CAPTCHA (Security) ImageScript #67: Creating Thumbnail Images
Chapter 11: Using CURL To Interact With Web Services
Script #68: Connecting to Other WebsitesScript #69: Using Cookies
Script #70: Transforming XML into a Usable Form
Script #71: Using Mapping Web Services
Script #72: Using PHP and SOAP to Request Data from Amazon.com
Script #73: Building a Web Service
Chapter 12: Intermediate Projects
Script #74: A User PollCreating a Ballot Form
Processing the Ballot
Getting Poll Results
Script #75: Electronic Greeting Cards
Choosing a Card
Sending the Card
Viewing the Card
Script #76: A Blogging System
Creating Blog Entries
Displaying an Entry
Adding Comments
Creating a Blog Index
Appendix
Index
All in all, this is a pretty neat book for those looking for a hand in getting started, but you should understand that this is not refined nor production ready code. I enjoy the scripts with sections like 'What Can Go Wrong?', which helps programmers debug their scripts for errors, and 'Hacking the Script', which helps programmers modify the scripts for more uses, which I thought was a nice approach for a cookbook style programming book. You can read the fourth chapter for free, which should help for a better understanding of the chapters. And as I always say, code rules everything around me (CREAM, get the knowledge), so make sure you check out all of the Wicked Cool PHP scripts. Having gotten all of that out, my main problems with this book is that it gives the novice users just enough information to get themselves into trouble, here teaching unaware programmers all of the bad security practices I've highlighted in this review.