Securing PHP: The Usual Suspects
Securing PHP: The Usual Suspects
About the Book
You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn't you do everything you can to keep that trust?
Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you're a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn't provide the useful, concrete examples you need to be a more effective and secure developer. I'll provide this foundation on topics like:
- Cross-site scripting, what it is and how to prevent it
- Poor authentication and authorization practices
- Preventing several types of injection
- Auditing potentially vulnerable components
- Protecting your users' sensitive data
This book will help you sleep better at night knowing you've put in the time and work to protect your applications and the users that trust it.
The book is a work in progress with more content to come as time goes on. Right now, only the injection chapter is completed, but more is soon to come. When you purchase the book, future content updates will automatically be sent to you at no addiitonal charge.
Outline:
Injection
- SQL injection
- Path injection
- Code injection
- Command injection
- XML injection
- HTML5 injection
Broken Authentication & Session Management
- Securing Sessions
- Reinventing the wheel
- Using SSL
- Use (and enforce) strong passwords
- Password Storage
- Permissioning Levels
- Forgot Username/Password
- Defining lockouts
Cross-site Scripting (XSS)
- What it is
- Why it's dangerous
- Prevention
Insecure Object References
Security Misconfiguration
- Your PHP.ini
- Third-party software updates
- Don't forget the platform
Sensitive Data Exposure
- Custom Error handling
- Custom Exception handling
Missing Function Level Access Control
- Discovery
- URL enumeration
- Data filtering
- Verify on client, verify on server
- Related
Using Components with Known Vulnerabilities
Unvalidated Redirects & Forwards
Appendix A: Input Validation & Filtering
- Filtering & Validation Overview
- Built-in Methods
- Libraries
About the Author
Table of Contents
- Thank you!
- Introduction
-
Injection
- SQL Injection
- Path injection
- Code injection
- Command injection
- XML injection
- HTML5 Injection
-
Broken Authentication & Session Managemnt
- Securing Sessions
- Reinventing the Wheel
- Using SSL
- Use (and Enforce) Strong Passwords
- Password Storage
- Permissioning Levels
- Define Lockouts
-
Cross-Site Scripting (XSS)
- Types of Cross-Site Scripting Vulnerabilities
- Why it’s Dangerous
- It’s all about context
- Other Prevention
-
Insecure Direct Object References
- Being Direct
- In APIs (and Pages)
- Accessing data not allowed by your current user level
- Horizontal Authorization
-
Security Misconfiguration
- PHP.ini - General Settings
- PHP.ini - Session Settings
- Third-Party Software Updates
- Don’t Forget the Environment
Other books by this author
The Leanpub 45-day 100% Happiness Guarantee
Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Do Well. Do Good.
Authors have earned$11,049,989writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
Top Books
- #1
Software economics
Luis Artola¿Estás harto del "ellos" y "nosotros" cuando se habla de los técnicos y el resto de la empresa? ¿Sabes cuándo refactorizar "es bueno" pero no encuentras la manera de discutirlo con otros? ¿Te vendría bien un marco mental que te ayude a decidir cuando está justificado trabajar en pareja y cuando no?
- #2
Functional event-driven architecture: Powered by Scala 3
Gabriel VolpeExplore the event-driven architecture (EDA) in a purely functional way, mainly powered by Fs2 streams in Scala 3!
Leverage your functional programming skills by designing and writing stateless microservices that scale, powered by stateful message brokers.
- #3
Practical FP in Scala: A hands-on approach
Gabriel VolpeA practical book aimed for those familiar with functional programming in Scala who are yet not confident about architecting an application from scratch.
Together, we will develop a purely functional application using the best libraries in the Cats ecosystem, while learning about design patterns and best practices.
- #4
Hype Cycle Of The Top 50 Emerging Digital Health Trends
Dr. Bertalan MeskoDigital technologies have completely transformed our lives in the last couple of years and started to entirely reshape the landscape of healthcare. The future of healthcare is shaping up in front of our eyes with advances in digital healthcare technologies..
In this book, we analyze the Hype Cycle Of The Top 50 Emerging Digital Health Trends.
- #5
C++ Best Practices
Jason TurnerLevel up your C++, get the tools working for you, eliminate common problems, and move on to more exciting things!
- #6
Ansible for DevOps
Jeff GeerlingAnsible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
- #7
Deep Learning in Production
Sergios KaragiannakosBuild, train, deploy, scale and maintain deep learning models. Understand ML infrastructure and MLOps using hands-on examples.
- #8
Functional Programming Made Easier
Charles ScalfaniA Functional Programming book from beginner to advanced without skipping a single step along the way.
In my 40 years of programming, I've felt that programming books always let me down, especially Functional Programming books. So, I wrote the book I wish I had 5 years ago.
Functional Programming will never be easy, but it can be easier.
- #9
node-opcua by example
Etienne RossignonGet the best out of node-opcua through a set of documented examples by the author himself that will allow you to create stunning OPCUA Servers or Clients.
- #10
Stratospheric
Tom Hombergs, Björn Wilmsmann, and Philip RiecksFrom Zero to Production with Spring Boot and AWS. All you need to know to get a Spring Boot application into production with AWS. No previous AWS knowledge required.
Go to stratospheric.dev for a tour of the contents.
Top Bundles
- #1
CCIE Service Provider Ultimate Study Bundle
2 Books
Piotr Jablonski, Lukasz Bromirski, and Nick Russo have joined forces to deliver the only CCIE Service Provider training resource you'll ever need. This bundle contains a detailed and challenging collection of workbook labs, plus an extensively detailed technical reference guide. All of us have earned the CCIE Service Provider certification... - #2
Software Architecture for Developers: Volumes 1 & 2 - Technical leadership and communication
2 Books
"Software Architecture for Developers" is a practical and pragmatic guide to modern, lightweight software architecture, specifically aimed at developers. You'll learn:The essence of software architecture.Why the software architecture role should include coding, coaching and collaboration.The things that you really need to think about before... - #4
Practical FP in Scala + Functional event-driven architecture
2 Books
Practical FP in Scala (A hands-on approach) & Functional event-driven architecture, aka FEDA, (Powered by Scala 3), together as a bundle! The content of PFP in Scala is a requirement to understand FEDA so why not take advantage of this bundle!? - #5
Modern C++ Collection
3 Books
Get All about Modern C++C++ Standard Library, including C++20Concurrency with Modern C++, including C++20C++20Each book has about 200 complete code examples. Updates are included. When I update one of the books, you immediately get the updated bundle. You can expect significant updates to each new C++ standard (C++23, C++26, .. ) and also... - #7
Books on problem-solving using Agile, Lean, Complexity, and more
6 Books
Six great books on problem-solving. Learn how to deal with impediments using agile practices, do A3 problem-solving with lean thinking, apply complexity science, finding root causes, and do event storming. All in one buy for a largely reduced price! Books included Agile teams need to be able to handle impediments. The book Problem? What Problem?... - #8
10 Books Bundle - A New Career in Tech 🚀
10 Books
Do you want to create yourself a new and profitable skillset - in one year or less? Do you want to position yourself on the right side of change finally? Do you want to work from home and set your own work schedule while choosing fun and interesting coding projects? Software developers and freelance developersearn six figuresin the US, according... - #10
Pattern-Oriented Memory Forensics and Malware Detection
2 Books
This training bundle for security engineers and researchers, malware and memory forensics analysts includes two accelerated training courses for Windows memory dump analysis using WinDbg. It is also useful for technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible...
