8

After creating a simple login system and trying to protect it against things like SQL injection, Session Hijacking, XSS, etc, I've found that I really enjoy doing this type of thing. I'd like to pick up a book and dive into all the details regarding PHP / database security and intrusion prevention/detection tactics.

Basically, I'm wanting to learn properly from the get-go. I've found Essential PHP Security, but since it was published in 2005, I imagine they will use things like mysql_ (deprecated) and potential a non OOP structure. I've also been using this page for assistance along with the PHP documentation, but I was hoping to go more in-depth (particularly relating to security).

Can anyone suggest a book that is updated for use today (so...):

  • Contains information about PDO Connections
  • Uses prepared statements to escape variables
  • Uses Object Oriented Approach for structure
  • Involves HTML templates for separation of languages
  • Preventing XSS, Session Hijacking, Null Byte intrusions, Cookie stealing, etc.

If there isn't a book that really addresses these things (yet), can the concepts from Essential PHP Security (or another recommended book) still be applied for most uses today?

Thanks for the input! I'm just trying to learn properly and avoid bad habits.

EDIT: I posted this elsewhere at first and a lot of the comments I received were along the lines of "I wouldn't use PHP" or "Use jQuery". Why is PHP security not a good area of focus?

Pierre.Vriens
  • 165
  • 1
  • 1
  • 11
Mattiavelli
  • 183
  • 7
  • 4
    In answer to your final paragraph; PHP security is a great area to be in career-wise. Given that the vast majority of sites out there are PHP and very insecure. People scoff at PHP because it lends itself to being very badly written. It is also a pretty broken language in general, making it often difficult to secure properly. PHP is unlikely to be a technology of choice when implementing a security-focused system for these reasons. – lynks Jul 17 '13 at 16:11
  • @lynks I see, that's much more understandable. I appreciate the clarification! – Mattiavelli Jul 17 '13 at 16:29
  • @bobince I checked this question out! It's where I found the "Essential PHP Security" suggestion, but I was afraid it would be outdated. Anyhow, thanks for the link! – Mattiavelli Jul 17 '13 at 16:48
  • For what it's worth, PHP hasn't really changed that much of late, given that PHP6 was strangled at birth. A book that was decent from five years ago (if there is such a beast!) is probably still reasonable today. – bobince Jul 17 '13 at 17:01
  • @bobince Noted. Now to start on this quest to find a decent PHP book! – Mattiavelli Jul 17 '13 at 17:03
  • 2
    If you're looking for a modern, security-conscious book about PHP, I'd like to recommend "How to stop using PHP". – Darius Jahandarie Jul 18 '13 at 02:39
  • FWIW, OReilly has The Tangled Web on sale today. Not specifically about PHP, but about fundamentals of web security in general. – Tim Pietzcker Jul 18 '13 at 05:29
  • @TimPietzcker It seems I've missed the sale, but the summary and reviews sound pretty good. I'll probably pick this up tonight, thanks for the suggestion! – Mattiavelli Jul 18 '13 at 13:27
  • A book will never be up to date. If you really want to read a lot about security, then read this: http://cwe.mitre.org/data/index.html . (By PHP security starts with suhosin.) – inf3rno May 27 '14 at 23:08
  • Consider stopping using PHP altogether, but if you insist I recommend PHP The Right Way. It's free and you can contribute on Github. – André Borie Jun 25 '16 at 12:28

2 Answers2

4

I'm not a PHP developer, so I don't have any specific recommendations, but from my experience I can give some general guidance that may be useful.

First, buy the newest PHP security specific book you can find. As established as PHP is, and as soft as the technical book market has been for the last decade, there aren't a lot of options, but there are a few out there. "Securing PHP Web Applications" from 2008 is the newest I've been able to find. The newer books will not only have more up to date information on PHP, but also more information on current attacks and threats.

Second, for more general PHP development education, look for a book with something like "Advanced" or "Technical" in the title, like "PHP Advanced and Object-Oriented Programming" (I have no idea if that specific book is any good.) Beginner books (in any language or technology) are notorious for including disastrous shortcuts for the sake of simplicity, and rarely if ever worry about best practices...They're designed to show you how to get something working with the least amount of code possible, and it's almost always terrible code. Advanced books have the luxury of being able to target readers with prior knowledge where best practices are more important than absolute simplicity, and you're far more likely to find a book that incorporates good security practices.

Third, (and this may be obvious) don't rely only on a book for your security information. Internet resources such as the OWASP website will always be far more current and provide a greater amount of detail around current security practices and threats.

Xander
  • 35,796
  • 27
  • 116
  • 144
  • Awesome, I appreciate the advice! I have never really considered the potential shortcuts that 'beginner' books may include, so I'll take this into consideration when searching for one (as well as OWASP - which I currently use for reference). I'll accept your answer shortly. If you don't mind me asking, what particular language/technology do you personally think is an exciting focus for security? I know this is a subjective question, but I'm curious of potential security-related fields, and opinions are okay for that! Thanks again – Mattiavelli Jul 17 '13 at 16:40
  • 1
    From the Amazon snippet, it would seem Securing PHP Web Applications thinks strip_tags() is the way to defend against HTML injections, and PHP Advanced and Object-Oriented Programming has endemic HTML-injections, in non-template functions that throw HTML strings about. Gah! – bobince Jul 17 '13 at 16:47
  • @bobince That's unfortunate. Hopefully the rest of the book is better, or there are better options. In any case, that's a perfect example of why vetting techniques through secondary resources is always advisable. – Xander Jul 17 '13 at 16:53
  • Nice catch, I'll keep my eyes open. Appreciate the help guys. – Mattiavelli Jul 17 '13 at 17:04
  • @Phas1c Eh, I'm fairly pragmatic when it comes to languages and technologies, so there aren't any that I find particularly exciting from a security standpoint. It's really more about taking whatever you're giving to work with, and learning it well enough to design and build in optimal security given whatever limitations it may have. Finding the "right" toolset is less important than becoming an expert with whatever toolset you have. – Xander Jul 17 '13 at 17:04
  • @Xander That's a fair answer. Still have another year before graduating, so I suppose I'll find out what toolset to focus on soon enough! – Mattiavelli Jul 17 '13 at 17:17
3

It's not a book, it's a site but I've been building up some PHP-related tutorials and articles on my site Websec.io (http://websec.io). They're definitely more recent than Chris' book...take a look.

EDIT: Since this post, I've also released a set of ebooks specifically about securing PHP applications: securingphp.com.

enygma
  • 141
  • 3