BOOKS FOR PROFESSIONALS BY PROFESSIONALS Companion
eBook Available
Chris Snyder, Author of Pro PHP Security, First edition Pro PHP Security Pro
If you've been a web developer for even a short time, you know that security is at once one of the most misunderstood and most important parts of your Thomas Myer, Author of job. You need only experience the anguish of having a web site or application No Nonsense XML Web hacked by someone several continents away to understand that. By provid- Development with PHP ing the most current information available, this title will help you understand Mac Basics in Simple Steps and avoid web security challenges while providing solutions for common real-
world problems.
This book begins by taking you through what can be done to secure your code by providing a rock solid grounding in the fundamentals of PHP security. Next, the book expands on that topic by what you can do to help protect your Michael Southwell, Coauthor of users and environment by covering such topics as encryption, SSL and SSH, UNIX security, CAPTCHAs, and more. Finally, the book delves into often forgot- Pro PHP Security, First edition ten (but incredibly important) topics such as keeping software up-to-date and
maintaining separate production and development environments.
Security is a big deal, and this book has been updated so todays PHP devel-oper can successfully meet all of the security challenges of the future.
THE APRESS ROADMAP
Beginning PHP Objects Pro
PHP & MySQL, Patterns & Practice, PHP Security,
4th Edition 3rd Edition 2nd Edition
Beginning Zend Enterprise Pro
PHP and Oracle PHP Patterns PHP Refactoring
Companion eBook
SECOND
EDITION
SOURCE CODE ONLINE
www.apress.com
Shelve in:
Web Development / PHP
Programming
User level:
IntermediateAdvanced
Pro PHP Security From Application Security Principles to the Implementation of XSS Defenses Second Edition
Chris Snyder
Thomas Myer
Michael Southwell
Pro PHP Security: From Application Security Principles to the Implementation of XSS Defenses, Second Edition
Copyright 2010 by Chris Snyder, Thomas Myer, and Michael Southwell All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage or retrieval system, without the prior written permission of the copyright owner and the publisher.
ISBN-13 (pbk): 978-1-4302-3318-3
ISBN-13 (electronic): 978-1-4302-3319-0
Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1 Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark.
The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
President and Publisher: Paul Manning
Lead Editor: Frank Polhmann
Technical Reviewer: Chris Snyder
Editorial Board: Steve Anglin, Mark Beckner, Ewan Buckingham, Gary Cornell, Jonathan Gennick, Jonathan Hassell, Michelle Lowman, Matthew Moodie, Duncan Parkes, Jeffrey Pepper, Frank Pohlmann, Douglas Pundick, Ben Renow-Clarke, Dominic Shakeshaft, Matt Wade, Tom Welsh
Coordinating Editor: Adam Heath
Copy Editor: Jim Compton
Compositor: MacPS, LLC
Indexer: BIM Indexing & Proofreading Services
Artist: April Milne
Cover Designer: Anna Ishchenko
Distributed to the book trade worldwide by Springer Science+Business Media, LLC., 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail orders-ny@springer-sbm.com , or visit www.springeronline.com . For information on translations, please e-mail rights@apress.com , or visit www.apress.com . Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use. eBook versions and licenses are also available for most titles. For more information, reference our Special Bulk SaleseBook Licensing web page at www.apress.com/info/bulksales . The information in this book is distributed on an as is basis, without warranty. Although every precaution has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the information contained in this work.
This, like all the others, is dedicated to my wife Hope Doty.
Thanks for loving me anyway.
T.M.
Contents ................................................................................................................
About the Authors ..............................................................................................
Acknowledgments.............................................................................................
Preface .............................................................................................................
Part 1: The Importance of Security ............................................................................
Chapter 1: Why Is Secure Programming a Concern? ............................................
Part 2: Practicing Secure PHP Programming ........................................................
Chapter 2: Validating and Sanitizing User Input .................................................
Chapter 3: Preventing SQL Injection ...................................................................
Chapter 4: Preventing Cross-Site Scripting ........................................................
Chapter 5: Preventing Remote Execution ............................................................
Chapter 6: Enforcing Security for Temporary Files .............................................
Chapter 7: Preventing Session Hijacking ............................................................
Chapter 8: Securing REST Services ...................................................................
Part 3: Practicing Secure Operations ...................................................................
Chapter 9: Using CAPTCHAs ..............................................................................
Chapter 10: User Authentication, Authorization, and Logging ..........................