PHP has had a bad reputation in recent years. There's a lot of discussion about its "summary of bad design" and syntactic inconsistencies, but the main complaint is usually security. Many PHP sites are hacked in minutes, and even some experienced and knowledgeable programmers will say that the language itself is unsafe.
I’m always against this because there are so many PHP security violations for common sense reasons.
PHP applications are often hacked due to:
It’s that simple. PHP has been popular for many years. The more popular PHP becomes, the more vulnerabilities are discovered. The vulnerabilities discovered by these hackers are rarely in the PHP processing engine itself, but are usually weaknesses in the script itself.
This means that when a PHP application is hacked, it is mostly the programmer's fault. Sorry, but it's true.
You can write secure PHP just like other web languages. It's time to start really exploring security issues.
The best protection against PHP hacks
Writing secure PHP code is not a secret black art hidden from PHP developers. But confidence is so fragmented that you need to spend weeks or months (or not) collecting some loose catalog or rule of thumb on good security practices. Only true experience will tell you how important it is.
Thankfully Ben Edmunds has done it for you. It recently published Building Secure PHP Apps – a Practical Guide, which is one of the best security-related books I’ve ever read, and certainly the best coverage of PHP. In this article I'll detail why I think every PHP developer should read it.
This book is a concise guide that will take you to the next level as a developer, allowing you to create better and more secure scripts.
Introduction
The book quickly gets into the common sense rules of web development: don’t trust your users and filter all input. Start with a small scenario and jump to the technical methods by which users can enter the system. The themes of Chapter 1 are:
These are areas that PHP novices (and some veterans) have always overlooked. Filtering input is considered an optional step by many and is discussed extensively in this chapter.
While reading, I was reminded of my first day at work many years ago, when I dug deep into the existing code and found the code for the new user creation script:
?
1 2 3 |
|
I panicked when I saw this code because it is a very effective script that could easily be guessed by a malicious user and insert a simple form variable to access approximately 5,000 credit card numbers and other personal information.
After digging deeper, I found the following code:
?
1 |
|
I pretty much walked out of that job on day one because they were relying on this horrible code. The code is there, and it's your responsibility to change it to avoid creating more.
This chapter discusses why code like this is a huge risk and how to fix it.
HTTPS and certificates
This is another area where Ben includes scripts, stories, and a bit of humor, while also clearly explaining the less clear concept of HTTPS. He explains it in a way that even your boss can understand.
This book very comprehensively describes how certificates work, certificate types and implementation methods, even including how to deploy on Apache or Nginx.
Password
This book carefully explains passwords, hashes, lookup tables, and salts, which is incredibly helpful for developers creating user login systems.
This is an area that was sorely lacking even in 2014. I still come across apps that store passwords in plain text or use stupid methods like ROT13 encryption to protect them. For the sake of keeping people using your app, and your good name, don't do this.
Passwords and other sensitive data should be very difficult to obtain, and someone may even gain full access to the database. This book is very comprehensive and will give you good guidance on designing better systems.
Authentication and access control
The topics covered in this book are very comprehensive. When you build a new PHP application, some of the top considerations are:
This is an important place to think about applications, especially applications that handle sensitive data. A considerable part of the development in the enterprise is dedicated to this. If you don't set up authentication and access control correctly, the most likely thing that will happen is that you confuse users and create more work. Even worse than this are server data gaps and/or data corruption.
This book does a good job of covering the basics, and then it dives into things like controlling access to files or individual pages of an application, with lots of code examples for reference.
Specific use
This book covers some common exploits to compromise a system, exploring in great detail cross-site scripting, which is arguably the most common way attackers exploit applications. It explains the different kinds of attacks and how to protect yourself.
Not bad, right? You can purchase books at a discount through this link!
What I like most about this book
What I really enjoyed while reading this book is how the information is presented in a way that is useful for both beginners and experienced programmers. There is a range of concepts presented, what they are and how to protect yourself. There are plenty of code examples, not the "padding" that some technical books have.
You can read through this book quickly because there is not much content. Novices can read through this book, examine each topic, start looking at their code, and make corrections. Remember that in this matter, you need to keep revising. If you look back and you're ashamed of the code you wrote six months ago, you're doing the right thing.
More advanced, experienced programmers can use this guide to fill in their weaknesses (admit it, no matter how long you’ve been in this industry, you have weaknesses) and better understand the systems they use in their work. For example, I've used authentication like crazy for years, but never thought about it at the level that this book covers.
No matter who you are, you will learn something. So stop reading this article and go buy a copy! Use this link to purchase and get a discount! !
Disclaimer
I haven’t commented much on my blog, so you may have some questions. For clarity, I was not paid or compensated for the review. The coupon code above gives readers of my blog $4 off the original book price, and I will not receive any money. Of course I received a promotional copy of this book for review purposes.
I know this author personally, which is one of the reasons why I trust the information in this book and completely trust his guidance. Ben Edmunds has had a huge influence in the PHP community in recent years. He has 10 years of experience in PHP. He is one of the leaders of the PHP User Group in Poland. He has made great contributions to the PHP open source project in recent years. Suffice it to say, he knows his stuff and you can trust the information presented here.
The above introduces the books that every PHP developer should read, including relevant content. I hope it will be helpful to friends who are interested in PHP tutorials.