A few weeks ago, Chris Shiflett author of Essential PHP Security was nice enough to give me some time for an interview on CodeSnipers. I figured the least I could do is give him and the community some feedback on his book. Read on for details.
I've been a software developer for quite a few years. I've been doing web development since '96 or so. My skills have steadily improved over the years, but I hadn't found a good solid resource for security principles and methods… until now.
Let's get this out of the way. Yes, it's focused on PHP. Yes, that means if you're working in something else, portions of the book just won't be applicable. But as long as you're working with any user-input, database access, interacting with other systems, or simply build software, the rest of the book will be applicable to you. I've written Chris about this and he pointed out that he's focused in PHP and he wrote about what he knows, so don't hold it against him.
If you're like me, you have been involved in numerous projects which use a mishmash of “security” through passwords, obscurity, dumb luck, trusting users, and a variety of other aspects. Throw some AJAX black magic, programmable web concepts, and a few security vulnerabilities into the mix and you're sitting on a great big pile of trouble. Whether you're considering internal corporate applications or million-user-get-slashdotted applications, the underlying security concerns are pretty much the same: Input cannot be trusted, user input doubly so.
Seriously though, he lays out about 30 common exploits throughout the course of the book. Then he breaks each one down on why it's effective and the strategies for fighting it. If you simply step through the code line by line, you're all set to handle your PHP problems. With a bit of translation (writing some Java in the margins for me), you're ready to handle other languages too. In fact, I've developed local TextUtils methods named identically just to make things that much simpler.
Overall, for PHP developers, I give this a solid 10. It's helpful, steps through the various problems, why they happen, and how to fix them… what could be better?
For developers in general, I give it a 9. There are sections of the book which are completely irrelevant to you, but the underlying principles are there. Ignore the PHP-specific functionality/code and learn the concepts. Then write your own code in the margins… 😉