Review of Essential PHP Security
Essential PHP Security, by Chris Shiflett (O’Reilly Media Inc., 2006), is only 85 pages long (if you take out the Appendices and filler material). That alone gets it four out of five stars. Well… not really… but there’s a lot to be said for producing a book that will actually get read. You can read the whole thing in one bathroom sitting, assuming you just returned from Mexico. By comparison, similar books like “Pro PHP Security” by Chris Snyder and Michael Southwell (also a very good book) are more along the lines of 500 pages and such books are intended as comprehensive reference books rather than tutorials. You’d have to eat at a restaurant in North Korea to get all the way through that book.
Chris’ book is great. It’s chocked full of easy to understand explanations and little five line code fragments to demonstrate what he’s explaining. Sure enough, if you read the whole thing, you’ll understand the essentials of PHP Security. Hey – perhaps that explains the title?
Do I need this book if my company already uses web scanning security software?
If your company has any kind of server-side applications at all, your IT department hopefully has a standard of scanning its web sites for vulnerabilities. Products like IBM’s WatchFire, HP’s webInspect, or Cenzic’s Hailstorm catch most of the problems that Chris’ book covers. However, you won’t understand the problems that those products identify if you don’t understand PHP security basics. For example, if webInspect reports a cross-site scripting vulnerability, you can’t fix it if you don’t understand what cross-site scripting is. You’ll be tempted to ignore or suppress any reported errors that you don’t understand. Chris’ book will give you the knowledge that you need in a few easy to follow pages.
Had we contributed to Chris’ book, there are a few paragraphs we would have added. They include:
The book should mention somewhere that many of the security vulnerabilities it describes are not unique to PHP – especially big ones like cross-site scripting and SQL injection. We encountered one client that was under the misimpression that PHP was particularly vulnerable to security problems. Sure, PHP has some vulnerabilities that other languages do not (and vis-versa), but Java, C#, Ruby, and all the other server-side languages can also be attacked with cross-site scripting, SQL injection, session spoofing, cookie theft, backdoor URLs, etc., etc.
The book would have benefited from the addition of a page of system administration best practices to improve security rather than confining itself only to coding best practices. For example, it’s easy for developers to accidentally open security holes by making very small changes to the PHP.ini file. A good best practice is to use the operating system to restrict access to that file in the production environment. Or we would have liked to see Chris distill role-based security administration policies, logging, or remote procedure call policies down to just the most important principles. He has a knack for filtering out the noise, and if he had added that 86th page, we would have paid for it and read it.
It’s worth mentioning how modular design has a very big impact on the number of vulnerabilities inside an application. This is especially important for PHP, because PHP code is often a little more haphazard than code written in other languages (see our Contact Us page for where to send your hate mail). There are two reasons for this. First, it’s a result of the culture of the self-selected group of people who use PHP. PHP programs are often written outside of the IT community. Professional software developers presumably have a little more formal training in modular design and system architecture. PHP tends to be the language of the average company Joe who is looking for the fastest way to produce a server side application. Second, every PHP object is allowed to directly write to the database (without at least having to explicitly allow that capability with an import statement, as is the case in Java). So PHP objects are more prone to operating directly on data rather than employing a more object-oriented approach of consolidating data operations in a single class.
These criticisms are very minor. The book is short, easy-to-read, and filled with information that is absolutely essential to know if you are to responsibly deploy a server-side PHP application. Look at the table of contents. If you’re not familiar with those terms, you’d better get the book.