Chris Snyder and Thomas Myer - Pro PHP Security

BOOKS FOR PROFESSIONALS BY PROFESSIONALS Companion

eBook Available

Chris Snyder, Author of Pro PHP Security, First edition Pro PHP Security Pro

If you've been a web developer for even a short time, you know that security is at once one of the most misunderstood and most important parts of your Thomas Myer, Author of job. You need only experience the anguish of having a web site or application No Nonsense XML Web hacked by someone several continents away to understand that. By provid- Development with PHP ing the most current information available, this title will help you understand Mac Basics in Simple Steps and avoid web security challenges while providing solutions for common real-

world problems.

This book begins by taking you through what can be done to secure your code by providing a rock solid grounding in the fundamentals of PHP security. Next, the book expands on that topic by what you can do to help protect your Michael Southwell, Coauthor of users and environment by covering such topics as encryption, SSL and SSH, UNIX security, CAPTCHAs, and more. Finally, the book delves into often forgot- Pro PHP Security, First edition ten (but incredibly important) topics such as keeping software up-to-date and

maintaining separate production and development environments.

Security is a big deal, and this book has been updated so todays PHP devel-oper can successfully meet all of the security challenges of the future.

THE APRESS ROADMAP

Beginning PHP Objects Pro

PHP & MySQL, Patterns & Practice, PHP Security,

4th Edition 3rd Edition 2nd Edition

Beginning Zend Enterprise Pro

PHP and Oracle PHP Patterns PHP Refactoring

Companion eBook

SECOND

EDITION

SOURCE CODE ONLINE

www.apress.com

Shelve in:

Web Development / PHP

Programming

User level:

IntermediateAdvanced

Pro PHP Security From Application Security Principles to the Implementation of XSS Defenses Second Edition

Chris Snyder

Thomas Myer

Michael Southwell

Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition

Copyright 2010 by Chris Snyder, Thomas Myer, and Michael Southwell All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.

ISBN-13 (pbk): 978-1-4302-3318-3

ISBN-13 (electronic): 978-1-4302-3319-0

Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1 Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.

The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.

President and Publisher: Paul Manning

Lead Editor: Frank Polhmann

Technical Reviewer: Chris Snyder

Editorial Board: Steve Anglin, Mark Beckner, Ewan Buckingham, Gary Cornell, Jonathan Gennick, Jonathan Hassell, Michelle Lowman, Matthew Moodie, Duncan Parkes, Jeffrey Pepper, Frank Pohlmann, Douglas Pundick, Ben Renow-Clarke, Dominic Shakeshaft, Matt Wade, Tom Welsh

Coordinating Editor: Adam Heath

Copy Editor: Jim Compton

Compositor: MacPS, LLC

Indexer: BIM Indexing & Proofreading Services

Artist: April Milne

Cover Designer: Anna Ishchenko

Distributed to the book trade worldwide by Springer Science+Business Media, LLC., 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com , or visit www.springeronline.com . For information on translations, please e-mail rights@apress.com , or visit www.apress.com . Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Special Bulk SaleseBook Licensing web page at www.apress.com/info/bulksales . The information in this book is distributed on an as is basis, without warranty. Although every precaution has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work.

This, like all the others, is dedicated to my wife Hope Doty.

Thanks for loving me anyway.

T.M.

Contents ................................................................................................................

About the Authors ..............................................................................................

Acknowledgments.............................................................................................

Preface .............................................................................................................

Part 1: The Importance of Security ............................................................................

Chapter 1: Why Is Secure Programming a Concern? ............................................

Part 2: Practicing Secure PHP Programming ........................................................

Chapter 2: Validating and Sanitizing User Input .................................................

Chapter 3: Preventing SQL Injection ...................................................................

Chapter 4: Preventing Cross-Site Scripting ........................................................

Chapter 5: Preventing Remote Execution ............................................................

Chapter 6: Enforcing Security for Temporary Files .............................................

Chapter 7: Preventing Session Hijacking ............................................................

Chapter 8: Securing REST Services ...................................................................

Part 3: Practicing Secure Operations ...................................................................

Chapter 9: Using CAPTCHAs ..............................................................................

Chapter 10: User Authentication, Authorization, and Logging ..........................