Securing PHP: The Usual Suspects
Securing PHP: The Usual Suspects
About the Book
You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn't you do everything you can to keep that trust?
Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you're a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn't provide the useful, concrete examples you need to be a more effective and secure developer. I'll provide this foundation on topics like:
- Cross-site scripting, what it is and how to prevent it
- Poor authentication and authorization practices
- Preventing several types of injection
- Auditing potentially vulnerable components
- Protecting your users' sensitive data
This book will help you sleep better at night knowing you've put in the time and work to protect your applications and the users that trust it.
The book is a work in progress with more content to come as time goes on. Right now, only the injection chapter is completed, but more is soon to come. When you purchase the book, future content updates will automatically be sent to you at no addiitonal charge.
Outline:
Injection
- SQL injection
- Path injection
- Code injection
- Command injection
- XML injection
- HTML5 injection
Broken Authentication & Session Management
- Securing Sessions
- Reinventing the wheel
- Using SSL
- Use (and enforce) strong passwords
- Password Storage
- Permissioning Levels
- Forgot Username/Password
- Defining lockouts
Cross-site Scripting (XSS)
- What it is
- Why it's dangerous
- Prevention
Insecure Object References
Security Misconfiguration
- Your PHP.ini
- Third-party software updates
- Don't forget the platform
Sensitive Data Exposure
- Custom Error handling
- Custom Exception handling
Missing Function Level Access Control
- Discovery
- URL enumeration
- Data filtering
- Verify on client, verify on server
- Related
Using Components with Known Vulnerabilities
Unvalidated Redirects & Forwards
Appendix A: Input Validation & Filtering
- Filtering & Validation Overview
- Built-in Methods
- Libraries
Table of Contents
- Thank you!
- Introduction
-
Injection
- SQL Injection
- Path injection
- Code injection
- Command injection
- XML injection
- HTML5 Injection
-
Broken Authentication & Session Managemnt
- Securing Sessions
- Reinventing the Wheel
- Using SSL
- Use (and Enforce) Strong Passwords
- Password Storage
- Permissioning Levels
- Define Lockouts
-
Cross-Site Scripting (XSS)
- Types of Cross-Site Scripting Vulnerabilities
- Why it’s Dangerous
- It’s all about context
- Other Prevention
-
Insecure Direct Object References
- Being Direct
- In APIs (and Pages)
- Accessing data not allowed by your current user level
- Horizontal Authorization
-
Security Misconfiguration
- PHP.ini - General Settings
- PHP.ini - Session Settings
- Third-Party Software Updates
- Don’t Forget the Environment
Other books by this author
The Leanpub 60-day 100% Happiness Guarantee
Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.
See full terms
Do Well. Do Good.
Authors have earned$11,820,291writing, publishing and selling on Leanpub, earning 80% royalties while saving up to 25 million pounds of CO2 and up to 46,000 trees.
Learn more about writing on Leanpub
Free Updates. DRM Free.
If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).
Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.
Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.
Learn more about Leanpub's ebook formats and where to read them
Top Books
Stratospheric
Tom Hombergs, Björn Wilmsmann, and Philip RiecksFrom Zero to Production with Spring Boot and AWS. All you need to know to get a Spring Boot application into production with AWS. No previous AWS knowledge required.
Go to stratospheric.dev for a tour of the contents.
OpenIntro Statistics
David Diez, Christopher Barr, Mine Cetinkaya-Rundel, and OpenIntroA complete foundation for Statistics, also serving as a foundation for Data Science.
Leanpub revenue supports OpenIntro (US-based nonprofit) so we can provide free desk copies to teachers interested in using OpenIntro Statistics in the classroom and expand the project to support free textbooks in other subjects.
More resources: openintro.org.
node-opcua by example
Etienne RossignonGet the best out of node-opcua through a set of documented examples by the author himself that will allow you to create stunning OPCUA Servers or Clients.
Advanced Web Application Architecture
Matthias NobackThe missing manual for making your web applications future-proof
C++20 - The Complete Guide
Nicolai M. JosuttisAll new language and library features of C++20 (for those who know previous C++ versions).
The book presents all new language and library features of C++20. Learn how this impacts day-to-day programming, to benefit in practice, to combine new features, and to avoid all new traps.
Buy early, pay less, free updates.
Other books:
Ansible for DevOps
Jeff GeerlingAnsible is a simple, but powerful, server and configuration management tool. Learn to use Ansible effectively, whether you manage one server—or thousands.
R Programming for Data Science
Roger D. PengThis book brings the fundamentals of R programming to you, using the same material developed as part of the industry-leading Johns Hopkins Data Science Specialization. The skills taught in this book will lay the foundation for you to begin your journey learning data science. Printed copies of this book are available through Lulu.
Thinking with Types
Sandy MaguireThis book aims to be the comprehensive manual for type-level programming. It's about getting you from here to there---from a competent Haskell programmer to one who convinces the compiler to do their work for them.
Maîtriser Apache JMeter
Philippe Mouawad, Bruno Demion (Milamber), and Antonio Gomes RodriguesToute la puissance d'Apache JMeter expliquée par ses commiteurs et utilisateurs experts. De l'intégration continue en passant par le Cloud, vous découvrirez comment intégrer JMeter à vos processus "Agile" et Devops.
If you're looking for the newer english version of this book, go to Master JMeter : From load testing to DevOps
D3 Start to Finish
Peter CookD3 Start to Finish shows you how to build a custom, interactive and beautiful data visualisation using the JavaScript library D3.js (versions 6 & 7).
The book covers D3.js concepts such as selections, joins, requests, scale functions, events & transitions. You'll put these concepts into practice by building a custom, interactive data visualisation.
Top Bundles
- #1
CCIE Service Provider Ultimate Study Bundle
2 Books
Piotr Jablonski, Lukasz Bromirski, and Nick Russo have joined forces to deliver the only CCIE Service Provider training resource you'll ever need. This bundle contains a detailed and challenging collection of workbook labs, plus an extensively detailed technical reference guide. All of us have earned the CCIE Service Provider certification... - #3
Pattern-Oriented Memory Forensics and Malware Detection
2 Books
This training bundle for security engineers and researchers, malware and memory forensics analysts includes two accelerated training courses for Windows memory dump analysis using WinDbg. It is also useful for technical support and escalation engineers who analyze memory dumps from complex software environments and need to check for possible... - #4
All the Books of The Medical Futurist
6 Books
We put together the most popular books from The Medical Futurist to provide a clear picture about the major trends shaping the future of medicine and healthcare. Digital health technologies, artificial intelligence, the future of 20 medical specialties, big pharma, data privacy, digital health investments and how technology giants such as Amazon... - #5
Software Architecture
2 Books
"Software Architecture for Developers" is a practical and pragmatic guide to modern, lightweight software architecture, specifically aimed at developers. You'll learn:The essence of software architecture.Why the software architecture role should include coding, coaching and collaboration.The things that you really need to think about before... - #6
Practical FP in Scala + Functional event-driven architecture
2 Books
Practical FP in Scala (A hands-on approach) & Functional event-driven architecture, aka FEDA, (Powered by Scala 3), together as a bundle! The content of PFP in Scala is a requirement to understand FEDA so why not take advantage of this bundle!?