Securing PHP: The Usual Suspects
Securing PHP: The Usual Suspects
About the Book
You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn't you do everything you can to keep that trust?
Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you're a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn't provide the useful, concrete examples you need to be a more effective and secure developer. I'll provide this foundation on topics like:
- Cross-site scripting, what it is and how to prevent it
- Poor authentication and authorization practices
- Preventing several types of injection
- Auditing potentially vulnerable components
- Protecting your users' sensitive data
This book will help you sleep better at night knowing you've put in the time and work to protect your applications and the users that trust it.
The book is a work in progress with more content to come as time goes on. Right now, only the injection chapter is completed, but more is soon to come. When you purchase the book, future content updates will automatically be sent to you at no addiitonal charge.
Outline:
Injection
- SQL injection
- Path injection
- Code injection
- Command injection
- XML injection
- HTML5 injection
Broken Authentication & Session Management
- Securing Sessions
- Reinventing the wheel
- Using SSL
- Use (and enforce) strong passwords
- Password Storage
- Permissioning Levels
- Forgot Username/Password
- Defining lockouts
Cross-site Scripting (XSS)
- What it is
- Why it's dangerous
- Prevention
Insecure Object References
Security Misconfiguration
- Your PHP.ini
- Third-party software updates
- Don't forget the platform
Sensitive Data Exposure
- Custom Error handling
- Custom Exception handling
Missing Function Level Access Control
- Discovery
- URL enumeration
- Data filtering
- Verify on client, verify on server
- Related
Using Components with Known Vulnerabilities
Unvalidated Redirects & Forwards
Appendix A: Input Validation & Filtering
- Filtering & Validation Overview
- Built-in Methods
- Libraries
About the Author
Table of Contents
- Thank you!
- Introduction
-
Injection
- SQL Injection
- Path injection
- Code injection
- Command injection
- XML injection
- HTML5 Injection
-
Broken Authentication & Session Managemnt
- Securing Sessions
- Reinventing the Wheel
- Using SSL
- Use (and Enforce) Strong Passwords
- Password Storage
- Permissioning Levels
- Define Lockouts
-
Cross-Site Scripting (XSS)
- Types of Cross-Site Scripting Vulnerabilities
- Why it’s Dangerous
- It’s all about context
- Other Prevention
-
Insecure Direct Object References
- Being Direct
- In APIs (and Pages)
- Accessing data not allowed by your current user level
- Horizontal Authorization
-
Security Misconfiguration
- PHP.ini - General Settings
- PHP.ini - Session Settings
- Third-Party Software Updates
- Don’t Forget the Environment
Other books by this author
The Leanpub 45-day 100% Happiness Guarantee
Within 45 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Do Well. Do Good.
Authors have earned$10,799,408writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers), EPUB (for phones and tablets) and MOBI (for Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
Top Books
- #1
Aprendiendo Git
Miguel Angel Durán GarcíaGit no es complicado... ¡Si lo entiendes! 😜
¿Sientes que sabes usarlo porque has memorizado todos los comandos que necesitas? ¡Pero no entiendes qué hace cada cosa y por qué! Así es normal que, cuando exista un problema, te cueste resolverlo.
¡Con este libro vas a entender de una vez por todas todo lo que es Git y cómo sacarle provecho!
- #2
C++20
Rainer GrimmC++20 is the next big C++ standard after C++11. As C++11 did it, C++20 changes the way we program modern C++. This change is, in particular, due to the big four of C++20: ranges, coroutines, concepts, and modules.
- #3
Introducing EventStorming
Alberto BrandoliniThe deepest tutorial and explanation about EventStorming, straight from the inventor.
- #4
Functional Programming Made Easier
Charles ScalfaniA Functional Programming book from beginner to advanced without skipping a single step along the way.
In my 40 years of programming, I've felt that programming books always let me down, especially Functional Programming books. So, I wrote the book I wish I had 5 years ago.
Functional Programming will never be easy, but it can be easier.
- #5
Windows 10 System Programming, Part 2
Pavel Yosifovich - #6
Ansible for DevOps
Jeff GeerlingAnsible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
- #7
Jetpack Compose internals
Jorge CastilloJetpack Compose is the future of Android UI. Master how it works internally and become a more efficient developer with it. You'll also find it valuable if you are not an Android dev. This book provides all the details to understand how the Compose compiler & runtime work, and how to create a client library using them.
- #8
Thinking with Types
Sandy MaguireThis book aims to be the comprehensive manual for type-level programming. It's about getting you from here to there---from a competent Haskell programmer to one who convinces the compiler to do their work for them.
- #9
node-opcua by example
Etienne RossignonGet the best out of node-opcua through a set of documented examples by the author himself that will allow you to create stunning OPCUA Servers or Clients.
- #10
OpenIntro Statistics
David Diez, Christopher Barr, Mine Cetinkaya-Rundel, and OpenIntroA complete foundation for Statistics, also serving as a foundation for Data Science.
Leanpub revenue supports OpenIntro (US-based nonprofit) so we can provide free desk copies to teachers interested in using OpenIntro Statistics in the classroom and expand the project to support free textbooks in other subjects.
More resources: openintro.org.
Top Bundles
- #1
Software Architecture for Developers: Volumes 1 & 2 - Technical leadership and communication
2 Books
"Software Architecture for Developers" is a practical and pragmatic guide to modern, lightweight software architecture, specifically aimed at developers. You'll learn:The essence of software architecture.Why the software architecture role should include coding, coaching and collaboration.The things that you really need to think about before... - #2
CCIE Service Provider Ultimate Study Bundle
2 Books
Piotr Jablonski, Lukasz Bromirski, and Nick Russo have joined forces to deliver the only CCIE Service Provider training resource you'll ever need. This bundle contains a detailed and challenging collection of workbook labs, plus an extensively detailed technical reference guide. All of us have earned the CCIE Service Provider certification... - #3
The Python Craftsman
3 Books
The Python Craftsman series comprises The Python Apprentice, The Python Journeyman, and The Python Master. The first book is primarily suitable for for programmers with some experience of programming in another language. If you don't have any experience with programming this book may be a bit daunting. You'll be learning not just a programming... - #4
Modern C++ Collection
3 Books
Get All about Modern C++C++ Standard Library, including C++20Concurrency with Modern C++, including C++20C++20Each book has about 200 complete code examples. Updates are included. When I update one of the books, you immediately get the updated bundle. You can expect significant updates to each new C++ standard (C++23, C++26, .. ) and also... - #7
Pattern-Oriented Memory Forensics and Malware Detection
2 Books
This training bundle for security engineers and researchers, malware and memory forensics analysts includes two accelerated training courses for Windows memory dump analysis using WinDbg. It is also useful for technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible... - #9
Development and Deployment of Multiplayer Online Games, Part ARCH. Architecture (Vol. I-III)
3 Books
What's the Big Idea? The idea behind this book is to summarize the body of knowledge that already exists on multiplayer games but is not available in one single place.And quite a fewof the issues discussed within this series (planned as three nine volumes ~300 pages each), while known in the industry, have not been published at all (except for...
