I really wanted to write a glowing review of Mr. Shiflett's book, Essential PHP Security, but I can't help but dissapointed by the weaknesses.

The author's blog (http://shiflett.org/) and PHP security website (http://phpsec.org/) are good sources of information on PHP security and web creation in general. With the wisdom hinted at via his websites, I looked forward to more in depth insights and specifics in his book. Unfortunately for Mr. Shiflett, writing a book is not like writing 'bites' for a blog or marketing yourself as experienced and knowledgable. This book reads like an anthology of blog articles and seminar presentations and that weakness kills what should otherwise really be an essential text.

As another helpful reviewer pointed out, this book is a not appropriate for new PHP programmers. That reviewer also noted that it is precisely new initiates to PHP that need these lessons the most. The protective measures suggested in the book are presented superficially. The author highlights the vulnerability, but then only hints at a protective measure by providing a code snip-it which totally lacks context. Most novice readers expect examples of how to apply and integrate the suggested technique effectively and efficiently within the basics they already know.

Mr. Shiflett writes in his acknowledgements, "Written during one of the busiest years of my life ... [the people at O'reilly] have gone out of their way to make the entire process fit around my writing style and busy schedule."

Smoking gun?

For a full price book, the author had room, but perhaps not the desire to provide more substance. Concise does not have to be superficial. The book's main content is 85 pages -- followed by three appendices between pages 87 and 103. The index runs between pages 105 and 109. Substantive implementation details are missing and should have been included.

For example, in chapter 1 and later in chapter 2, the author recommends filtering input by identifying input, filtering the input, and distinguishing between filtered and unfiltered (tainted) data. This recommendation is explicitly explained twice in the book and repeated throughout. If you expect any examples demonstrating this in practical use, there are none. If you expect a class that exemplifies a way you might integrate this technique with your exsisting code, there is none. In other words, if you want to learn even remotely by example, you may be disappointed by this book.

As a last note, Appendix C talks briefly about cryptography in PHP. Based on this book, cryptography does not appear to be one of the author's strong areas of knowledge. For new PHP programmers who also work with SQL, Mr. Shiflett gives you just enough information to frustrate you (at best -- or hang yourself at worst). The author lists a number of other books and websites about cryptography on the first page of the Appendix. That is his best advice. Also take a look at http://www.openssl.org/ as an information resource.

In sum, I don't argue with the value of the hints Mr. Shiflett provides in his book, but this book is weak on substance and does not provide the examples necessary to teach the reader that the suggestions are practical for real implementation. Perhaps instead of this book, the many authors of the "How to PHP and MySQL" clone books need to integrate and implement these protective measures in their texts right from the start. Unfortunately, Mr. Shiflett's book does not bridge the existing gap. If you buy this book, expect to be searching other books and the web for ways to effectively and efficiently perform the tasks the author recommends. If you already know how to implement the measures, you probably did not need this book in the first place.

While smaller than many O'Reilly titles the author wastes no time in helping the new PHP programmer write more secure code. Once you get the best practices in the first chapter down, the other seven chapters each deal with a specific class of vulnerability. You can read chapters 2-8 in any order, and you'll also spend some time with the appendices.

I confess, this book made me want to go back over my code and refactor it from the ground up! Chris gives really easy ways to prevent the more common attacks. A day to a day and a half to read this book and then build your habit library will take you far in building more secure PHP code.

When I first got this book, it made me think about a few security holes that probably existed in my sites, and go back and fix some things. I liked the fact that it was quick and to the point, so I could hit all of the topics in a glance.

However, as I've progressed in my own development projects, I've come across a lot of fairly basic issues that are simply brushed by in this book. For example, the entire topic of encryption (hmm, maybe important in a security book) is relegated to Appendix C, which is 6 pages long. The discussion of mcrypt (the actual encryption functions) is 2 pages long, and is just a copy of an encryption class, without any explanation at all of modes, initialization vectors, etc (i.e. the things you need to understand to actually understand encryption). He even gives a link to Wikipedia at the beginning of the appendix (among other links) and tells us to read up there. Sorry Chris, but I dropped $30 on your book (along with a lot of other people) because I wanted YOU to explain it.

As another example, the book explains how to make sure you are dealing with an uploaded file rather than another file, but never addresses the problem of trying to determine if it is malicious before you work with it. I wrote Chris Shiflett an email on his personal website asking about this, but never received a response.

Overall, the authorship of this book seems somewhat lazy (is the topic of security really only worth 100 pages?), which is why I feel a little bit insulted and don't have a problem giving this a low rating. I would give it 3 stars because much of the content raises interesting questions, but I am used to such better quality from O'Reilly that it heavily suffers by comparison with ANY of their other offerings.

Of the 103 pages in the book there are probably only 13 of unique information and 90 pages of saying the same exact thing over and over again. Worse yet, I found the author had already released the 13 pages of useful information online for free.



Definitely wish I had browsed this one in a store before I blew $30.

Of the 103 pages in the book there are probably only 13 of unique information and 90 pages of saying the same exact thing over and over again. Worse yet, I found the author had already released the 13 pages of useful information online for free.

Definitely wish I had browsed this one in a store before I blew $30.

Alright - not very meaty. Overall I'm glad I read it though, as I picked up some useful nuggets.

==========
Update 2006-12-30 - I'd like to bump this up to four stars. The book came in handy today - I used some code in it regarding session variables.

Alright - not very meaty. Overall I'm glad I read it though, as I picked up some useful nuggets.

This book is essential for anyone starting out in PHP, but not only for them. It offers tips for almost any skill level, maybe you know some of the ways to keep your site secure but Chris really goes in depth on some of them.

The code snippets are short, simple, but convey the point exactly as intended... and I also like Chris's method for validating tainted data, similar to a fisherman. If the fish is bad throw it back and the same goes for user input.

I still have this book for reference and have lent it to a few people which resulted in them picking their own copies... all around a great resource.

Are you a developer who is writing insecure PHP code? If you are, then this book is for you! Author Chris Shiflett, has done an outstanding job of writing a practical book that will help you improve your PHP application-level security.

Shiflett, begins by giving an overview of security principles and best practices. Then, the author covers form processing and attacks such as cross-site scripting and cross-site request forgeries. He continues by focusing on using databases and attacks such as SQL injection. Then, the author explains PHP's session support and shows you how to protect your applications from attacks such as session fixation and session hijacking. Then, he covers the risks associated with the use of includes, such as backdoor URLs and code injection. Next, the author discusses attacks such as filesystem traversal and command injection. Then, he shows you how to create secure authentication and authorization mechanisms and how to protect your applications from things like brute force attacks and replay attacks. Finally, the author explains the inherent risks associated with a shared hosting environment.

This most excellent book brings long-needed security guidelines to PHP developers everywhere. More importantly, the content of this book will be an asset to your development teams.

As a very security conscious developer, I found this book to be a GREAT resource to my library. Though the book is short in length, it is very rich in content. Chris does a GREAT job of presenting the problem (citing specific examples of the exploits), showing the pitfalls, and then presenting the solutions.

He is very thorough in his descriptions, and his easy to understand writing and use of analogies made this a very simple concept to grasp. If you are a seasoned PHP developer, or just beginning programming PHP - his writing style helps you to understand the underlying attack, visuals to see it in action, and how to prevent being attacked - it is very simple, yet deep.

Reading this book has helped me to see where my applications may fall short, and what I can do to protect them. Especially in the realm of PHP developers, there are MANY Open Source options out there, and many of them lack the security that is mentioned in the chapters of this book. Don't let yourself get caught!

I recommend this book, and performing an audit of your own work. Excellent book!

This handy book fecth most recent popular attacks, and roughly coveres most general attacking means and how to secure your website.I like author's princle about how to filter tainted input and his code snippets are short and understandable.But this book comes with quite much minor errors; chapters seem little bit repetitive and redundant and most codes are not talked in depth.If you were a php newbie, and wish to know more php security related features or you want a short, handy cookbook which provides a quick reference, you should pick up this book.

Provides a good practical overview of common website attacks and how to handle them. Each type of attack is explained before showing the defence. By understanding how the attacks work you are less likely to implement the defences incorrectly. This book helped me understand the important security issues when developing websites in php, however much of the information is applicable in any web development language.

The book is only around 100 pages, but if you consider the title of the book then this is fine. You won't find information about securing a web server for example, but that is not what this book is for.

The only specific attack missing which I would like to have seen information about is email spamming through website forms. However the general principles described in the book will help prevent these attacks as well.

I highly recommend this book to any PHP developer who is looking for a concise guide on how to secure their websites.

I found this book very helpful. The language is easy to understand and the examples are clear and concise. The mantra 'filter input, escape output' is repeated throughout the book but is accompanied by examples of attacks and preventions. I found that repetition helpful. It is much easier to take the advice and apply it to my own needs than having a book with a finite list of applications and their possible holes.

This long awaited work from who many refer to as the guru of PHP security is finally out.

I must say though, when it arrived in the mail, I was a bit surprised by the package. Rather than the typical book box you get, it was in a padded envelope and upon opening the package I saw that the book was a mere 109 pages (with appendices starting on page 87).

As I began to read the book, I started to realize some of the reasons for the small size. Chris stays completely on topic with PHP security and doesn't meander into subjects such as Linux server administration and security, which other (larger) texts do to quite a large extent. I acually went to another PHP security text I had recenty read, and if I took out the sysadmin sections, it left about the same amount of pages as Chris's book. Also Chris's approach to PHP security seems to be a very 'keep it simple one'. He doesn't get into elaborate security frameworks and application layers. He simply defines a PHP security issue, and provides a strait forward and simple solution for the problem. I agree with this approach since over engineering a solution, breeds complexity and complexity can easily mask, you guessed it, "security issues".

I would say what I liked most about this book is that he brought to light the security concerns when running on a shared host. I think this topic if very often neglected on the majority of PHP security articles and texts even though many of us use shared hosting due to how cheep it is. Chris devotes an entire chapter to the situation and clearly explains the vast security risks that come with shared hosting and gives examples of how to mitigate the risks.

I would actually recommend this book to just about any PHP programmer for the simple fact that it is a great catalog of PHP security risks to date and offers simple solutions to counter those risks. Since it is a quick read it is an excellent way to quickly see if you have your bases covered when it come to security of your PHP app. Some of the examples are a bit brief, but the fact that you have read Chris's book and been alerted to the security issue is the real value in the end. You can always go to http://phpsec.org/ or other sites for expanded examples.

"Knowing is half the battle"
GI Joe

As far as technical books go, I liked this one. It really does get right to the point, and doesn't waste any time. But I do want to warn potential buyers that the book doesn't contain anything new to those who've been around the block a couple times. I'd say this book would only be informative to novice PHP programmers.

I've been programming with PHP for a few years now, and even when I read a book aimed at novices I usually learn something, or I'm at least reminded of some issues that I hadn't thought about in a while. I can't say the same about this book. I read it front to back within an hour, and didn't learn anything new, nor will it provide any kind of reference for future projects.

Overall I was disappointed, but that isn't necessarily the author's fault. I was just expecting something more in-depth.

This 120 page book could be condensed into one chapter. Most of the examples are just applying the same filter and escape your data to different function.
This book should be read by new programmers. If you have been programming for any decent amount of time, you should already know everything in here.

This is the first technical book that I have read that doesn't obscure the topic with trivial details or complicated sentence structures with phrasing that is hard to follow. The thing I like best about the book is that it introduces a technique in detail and uses it throughout the book. Because every chapter refers back to the original "filter input, escape output" theme coupled with defense in depth, it forces the user to concentrate on a single, simple method and apply it to many different situations.

The example code segments in the book illustrate specific points described in the copy very well. Keeping the code examples simple only strengthens its meaning since the reader is not forced to analyze the code. Additional comments in the examples may be helpful for inexperienced developers.

In addition providing insight on filtering input and escaping output, Chris also gives the reader insight to a very helpful way of dealing with the filtered/escaped data within the code. This method is illustrated in all the examples, and as the reader notices it used throught the book they can learn its usefulness by example.

You would think that with all of the books being published recently about PHP that everyone and his mother is writing PHP code. This may be true, but even if it is not, it is certain that many people and businesses are using PHP code, in concert with other applications like MySQL, to produce dynamic web sites. This is all well and good because PHP is a high-quality coding language especially well-suited to web applications. It is also open-source, meaning well-supported by a community of coders and developers and cost-free. The one problem is that, like all coding languages, poorly designed or written PHP applications can be security risks potentially allowing Internet miscreants to cause damage to web servers, hosts, and users. It appears to be the case that there are many, many instances of insecure PHP code in use, hence, the value in a targeted book on PHP security, like "Essential PHP Security", by Chris Shiflett.

The author is an internationally-known and accomplished expert on PHP security. He is the founder of the PHP Security Consortium, a group of volunteers who help educate the PHP community, and a well-known contributor to the PHP-general mail digest. The book is designed to provide security information and guidelines and explain the most common types of attacks and how to prevent or repel them.

"Essential PHP Security" is a slight volume of only 109 pages, including index. Shiflett wastes no time and immediately jumps into his topic, starting with his opinion on the use of the PHP concept of "register globals", a configuration setting which he recommends against using in favor of "superglobal arrays". He next turns to how to configure your web server setup to properly deal with error reporting, both for the developer's use and to prevent providing clues to any interloper trying to illegally access your site.

The balance of Chapter 1 itemizes general principles of Internet security: Defense in Depth - redundantly using more than one technique to secure your site; Least Privileges - writing code to minimize access to the least needed for any particular user's needs; Simple is Beautiful - the writing of clear, simple code, to make troubleshooting and auditing easier; and Minimize Exposure - taking steps to design and implement programs to eliminate or at least minimize display of sensitive data or code - don't even store credit card information unless absolutely necessary, he suggests.

Next, comes "Best Practices" - balancing risk vs. usability, keeping track of data, filtering of all input, escaping output, and in all cases, distinguishing between filtered and tainted data. These principles and practices are illustrated with short code snippets comparing insecure vs. more secure code.

The next seven chapters deal with specific elements of a website, the types of attacks that can occur with each, and tips and suggestions on how to deal with these attacks. These elements include vulnerabilities in forms and URLs, databases and SQL, sessions and cookies, PHP "include" files, files and commands, authentication and authorization, and shared hosting.

The author credibly describes by examples the types of attacks against forms and URLs - cross-site scripting, cross site request forgeries, spoofing of forms, and insecure Raw HTTP requests. Authentication attacks include dictionary attacks, password sniffing, replay attacks, and cookie stealing. For each, he briefly describes how the attacks work, shows examples of insecure code, and provides examples of secure code.

For each of the elements dealt with, the author follows the same model: describe briefly the types of attacks against each element, show conventionally-used insecure code, and show how to eliminate the insecure parts of the code. Most of the security defenses entail filtering data from outside sources, especially form input, email, and XML documents from other web applications. Other defense techniques include using SSL for encrypted data transmissions, strengthening identification methods, hard-coding file paths, and using token techniques in addition to PHP encryption functions. Interestingly, Schiflett believes it is impossible to achieve a high level of security in a shared hosting situation. He provides suggestions on what security measures will help the most.

What is most useful about this book is the aggregation in one place of descriptions of all of these security attacks, and vulnerabilities in PHP code, along with suggestions on dealing with them. The organization of the material is good, however. I believe the author falls short in his code examples. There appears to be a disconnect between the descriptive text (which is clear enough) and the examples, which are not, at least to me, a novice in PHP. I could not readily follow the detailed code segments, although I could understand in principle what was going on.

Some of the code segments were barely explained and some were inadequately explained. The concepts of the attacking techniques were understandable, but the detailed implementations were not. There are a small handful of illustrations, but I found them too simplistic and inadequate. To be fair, this may be a failure of the reviewer. More experienced PHP folks may not complain about the presentations. For them, this book gives them what they need to know about handling the security aspects of their applications, but my guess is that it is the less accomplished coders who need the most help (although those same people are probably writing the types of applications and sites least likely to be targeted by miscreants.)

There are three short appendices presenting suggestions on how to configure a PHP installation to minimize weaknesses, suggestions about avoiding certain powerful PHP functions, especially system commands, to minimize risk, and a short segment on cryptography features in PHP.

This book helped me identify and report a critical security vulnerability in a commercial third party PHP application we were planning to deploy in a business-critical fashion. For that alone, it was worth its weight in gold.

This books is the antidoe to the common misperception that PHP applications fall short on security. With sparkling clarity, Chris demystifies dozens of attacks and provides both solid theoretical and practical bases for coding securely in PHP. Throughout his work as a PHP security consultant, and culminating in this book, Chris has defined the lexicon for web security -- telling us precisely what it means to filter input, and precisely what it means to escape output -- as well as when, how and why. This is nothing short of a defining work on web application security as it applies specifically to PHP.

While this book does not cover using encoders (like the Zend Encoder or IonCube Encoder) to heighten security in a plain-text scripting language, every other topic you would expect to be covered is treated -- above all -- with accuracy, and all in just over a hundred pages. Where other authors might potificte to fill pages, Chris crafted this book to live up to its title -- it is indeed essential, distilled, and precise. Therefore there is little excuse from this point on to not have read it at least once, and thumb through it from time to time when developing or auditing a PHP application. I intend to make it required reading in my department, and recommend it highly to colleagues in other companies developing web applications in PHP.