Securing PHP: The Usual Suspects cover page

Securing PHP: The Usual Suspects

Securing PHP: The Usual Suspects

Web application security is complex, there's no doubt about that. Thankfully a large part of the problems can be boiled down to ten major issues. This book covers those issues and how to harden your PHP against them.
Securing PHP: The Usual Suspects Edit
This book is 40% complete


About the Book

You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn't you do everything you can to keep that trust?

Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you're a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn't provide the useful, concrete examples you need to be a more effective and secure developer. I'll provide this foundation on topics like:

  • Cross-site scripting, what it is and how to prevent it
  • Poor authentication and authorization practices
  • Preventing several types of injection
  • Auditing potentially vulnerable components
  • Protecting your users' sensitive data

This book will help you sleep better at night knowing you've put in the time and work to protect your applications and the users that trust it.

The book is a work in progress with more content to come as time goes on. Right now, only the injection chapter is completed, but more is soon to come. When you purchase the book, future content updates will automatically be sent to you at no addiitonal charge.



  •     SQL injection
  •     Path injection
  •     Code injection
  •     Command injection
  •     XML injection
  •     HTML5 injection

Broken Authentication & Session Management

  •     Securing Sessions
  •     Reinventing the wheel
  •     Using SSL
  •     Use (and enforce) strong passwords
  •     Password Storage
  •     Permissioning Levels
  •     Forgot Username/Password
  •     Defining lockouts

Cross-site Scripting (XSS)

  •     What it is
  •     Why it's dangerous
  •     Prevention

Insecure Object References

Security Misconfiguration

  •     Your PHP.ini
  •     Third-party software updates
  •     Don't forget the platform

Sensitive Data Exposure

  •     Custom Error handling
  •     Custom Exception handling

Missing Function Level Access Control

  •     Discovery
  •     URL enumeration
  •     Data filtering
  •     Verify on client, verify on server
  •     Related

Using Components with Known Vulnerabilities

Unvalidated Redirects & Forwards

Appendix A: Input Validation & Filtering

  •     Filtering & Validation Overview
  •     Built-in Methods
  •     Libraries

Read more

Table of Contents

  • Thank you!
  • Introduction
  • Injection
    • SQL Injection
    • Path injection
    • Code injection
    • Command injection
    • XML injection
    • HTML5 Injection
  • Broken Authentication & Session Managemnt
    • Securing Sessions
    • Reinventing the Wheel
    • Using SSL
    • Use (and Enforce) Strong Passwords
    • Password Storage
    • Permissioning Levels
    • Define Lockouts
  • Cross-Site Scripting (XSS)
    • Types of Cross-Site Scripting Vulnerabilities
    • Why it’s Dangerous
    • It’s all about context
    • Other Prevention
  • Insecure Direct Object References
    • Being Direct
    • In APIs (and Pages)
    • Accessing data not allowed by your current user level
    • Horizontal Authorization
  • Security Misconfiguration
    • PHP.ini - General Settings
    • PHP.ini - Session Settings
    • Third-Party Software Updates
    • Don’t Forget the Environment

Read More

About the Author

Other books by this author

The Leanpub Unconditional, No Risk, 100% Happiness Guarantee

Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks. We process the refunds manually, so they may take a few days to show up.
See full terms