This review was originally printed in the June 2006 edition of the UKUUG newsletter, which is now defunct.
Title: Essential PHP Security
Authors: Chris Shiflett
ISBN: 9780596006563
As a PHP developer of many years, I’ve probably made my fair share of mistakes when it comes to security, so finding a book that concentrates purely on this topic sounded like just the thing I’ve been looking for.
My first impression was that the book is rather slim, weighing in at just over 100 pages. Whilst PHP security is perhaps something of a niche topic, I got the feeling that perhaps this text would be a little short on detail. On the other hand, the book lacks the flowery prose and history sometimes used in computer books, so it was a refreshing change to get straight into the nuts and bolts of the subject matter from page one.
The first few chapters cover the most obvious security holes that often plague PHP scripts, including processing user input (primarily from forms), databases and cookie/session handling. At first this seemed like a good coverage of the common security problems, but I felt that the databases section was particularly short, especially given the number of websites that are relying on some form of database backend to provide various levels of functionality (e.g. forums). The SQL injection section was only a few pages, despite the fact that this one security hole alone has caused problems for many of the popular PHP scripts available for download.
The author also sometimes veers away from PHP problems and ends up discussing more general issues, such as the handling of cookies in previous versions of Internet Explorer. Whilst this is something that developers should be aware of, it isn’t really a PHP security issue and relies on users being savvy enough to keep their software up to date.
There are sections where the author ends up explaining what is basically the same vulnerability several times. For example, when using some form of user input (such as $_GET[‘filename’]) as a way of dynamically including files, he shows the same problem with both local and remote files, and so the reader is given a repeated explanation of why you should never use tainted data to refer to a filename.
Certain sections are also somewhat hand-wavey in that the author will mention topics such as SSL, and then suddenly move onto something else without giving any details as to how the topic in question can be used to enhance the security of your PHP scripts.
Having criticised the book somewhat, I must admit that I did learn one or two useful bits of information. For example, I always set the error reporting value for my PHP scripts to be E_ALL to display all errors, but apparently including E_STRICT will warn about depreciated functions as well. The section covering problems with shared hosting was also fairly in-depth and is a topic which probably affects the majority of PHP developers, yet it is not usually considered when trying to write secure code.
Overall though, I think the book is a little short on detail. There are a lot of places where it highlights important security issues – thus bringing them to your attention – but doesn’t really provide many good examples as to how to close the holes.
If you’re a seasoned PHP developer it’s unlikely that you’ll learn a great deal from this book, although it may serve as a useful reminder of some of the security issues that you are likely to come across in your scripts. The majority of the book’s content can be found on the many PHP websites, and given the lack of detail in the book I suspect most developers would get a more comprehensive answer by simply searching the web.
Personally, I don’t believe that the book is worth the cover price, though if a second edition with more detail and better examples was released then I’d be inclined to pick up a copy. As it stands, the book has potential but some sections could do with expanding, so I would award it 6/10 overall.