BKEPHPSC.RVW 20071123 "Essential PHP Security", Chris Shiflett, 2006, 0-596-00656-X, U$29.95/C$41.95 %A Chris Shiflett shiflett.org %C 103 Morris Street, Suite A, Sebastopol, CA 95472 %D 2006 %G 0-596-00656-X %I O'Reilly & Associates, Inc. %O U$29.95/C$41.95 707-829-0515 fax: 707-829-0104 nuts@ora.com %O http://www.amazon.com/exec/obidos/ASIN/059600656X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/059600656X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/059600656X/robsladesin03-20 %O Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation) %P 109 p. %T "Essential PHP Security" PHP is an acronym (albeit a somewhat recursive one, standing for PHP: Hypertext Preprocessor) but neither the foreword, preface, book, nor index expands it. Similarly, the intent of the book is not clarified in either the foreword or the preface. Chapter one does state that the purpose of the text is to teach how to write secure code (with security left undefined) using features unique to PHP. However, only two such distinctive functions are listed in this section, and they are not explained very well. (Three appendices at the end of the work do list some PHP commands related to the security conventions noted.) More space is devoted to general application development principles and practices for safe programming. Even there the solutions provided are outlined in terms of source code rather than text, and the content requires an intimate knowledge of PHP in order to derive value from the lessons presented. In discussing forms and URLs (Uniform Resource Locators), chapter two distinguishes between filtered and tainted data, as well as GET and POST form submissions, but does not initially examine the possibility of user observation and deliberate malforming of submitted data. Where details are provided on security, they are introduced with coding examples, and, again, the effectiveness of the proposed solutions are unclear unless the reader is well familiar with PHP internals. The database and SQL (Structured Query Language) programming styles suggested in chapter three are good, but it is far from clear that the filtering recommended will, in fact, prevent all possibility of SQL injection attacks. Chapter four examines sessions and cookies: the explanations here also rely on understanding the source code. Chapter five, in talking about includes, is mostly concerned with placing the files outside the root directory. Much the same emphasis is present in regard to files and commands (particularly with respect to file traversal) in chapter six, although there is some discussion of command injection. Once again, the specifics in regard to authentication and authorization are material only in the source code examples in chapter seven. The text of chapter eight explicitly admits that the ability to address security issues in shared hosting environments is weak. For those who are thoroughly experienced in PHP programming, this book does recommend styles that can result in more secure Web applications. However, novice programmers, or even programmers experienced in other languages, will have difficulty using the material effectively. copyright Robert M. Slade, 2007 BKEPHPSC.RVW 20071123