Securing PHP: The Usual Suspects
Minimum price
Suggested price

Securing PHP: The Usual Suspects

About the Book

You are the developer, you hold the power in your hands to protect your users and their information. They trust you with it, shouldn't you do everything you can to keep that trust?

Let me guide you through a look at some of the most common issues with web applications and suggest ways to correct them along the way. Even if you're a novice to security or to PHP, this book can help you get started down a more secure path. The OWASP Top 10 is a great guide to the common vulnerabilities, but it doesn't provide the useful, concrete examples you need to be a more effective and secure developer. I'll provide this foundation on topics like:

  • Cross-site scripting, what it is and how to prevent it
  • Poor authentication and authorization practices
  • Preventing several types of injection
  • Auditing potentially vulnerable components
  • Protecting your users' sensitive data

This book will help you sleep better at night knowing you've put in the time and work to protect your applications and the users that trust it.

The book is a work in progress with more content to come as time goes on. Right now, only the injection chapter is completed, but more is soon to come. When you purchase the book, future content updates will automatically be sent to you at no addiitonal charge.



  •     SQL injection
  •     Path injection
  •     Code injection
  •     Command injection
  •     XML injection
  •     HTML5 injection

Broken Authentication & Session Management

  •     Securing Sessions
  •     Reinventing the wheel
  •     Using SSL
  •     Use (and enforce) strong passwords
  •     Password Storage
  •     Permissioning Levels
  •     Forgot Username/Password
  •     Defining lockouts

Cross-site Scripting (XSS)

  •     What it is
  •     Why it's dangerous
  •     Prevention

Insecure Object References

Security Misconfiguration

  •     Your PHP.ini
  •     Third-party software updates
  •     Don't forget the platform

Sensitive Data Exposure

  •     Custom Error handling
  •     Custom Exception handling

Missing Function Level Access Control

  •     Discovery
  •     URL enumeration
  •     Data filtering
  •     Verify on client, verify on server
  •     Related

Using Components with Known Vulnerabilities

Unvalidated Redirects & Forwards

Appendix A: Input Validation & Filtering

  •     Filtering & Validation Overview
  •     Built-in Methods
  •     Libraries

About the Author

Chris Cornutt
Chris Cornutt

Chris has been involved in the PHP community for over a decade. His contributions include curating the PHP news site, writing articles for his PHP-focused security site and speaking at web technology conferences all around the world. He's also written for several major PHP publications and is a co-organizer for both the Dallas PHP user group and the Lone Star PHP Conference. He currently works as an application security developer for Pardot, a division of Salesforce.

You can find him online at

Table of Contents

  • Thank you!
  • Introduction
  • Injection
    • SQL Injection
    • Path injection
    • Code injection
    • Command injection
    • XML injection
    • HTML5 Injection
  • Broken Authentication & Session Managemnt
    • Securing Sessions
    • Reinventing the Wheel
    • Using SSL
    • Use (and Enforce) Strong Passwords
    • Password Storage
    • Permissioning Levels
    • Define Lockouts
  • Cross-Site Scripting (XSS)
    • Types of Cross-Site Scripting Vulnerabilities
    • Why it’s Dangerous
    • It’s all about context
    • Other Prevention
  • Insecure Direct Object References
    • Being Direct
    • In APIs (and Pages)
    • Accessing data not allowed by your current user level
    • Horizontal Authorization
  • Security Misconfiguration
    • PHP.ini - General Settings
    • PHP.ini - Session Settings
    • Third-Party Software Updates
    • Don’t Forget the Environment

The Leanpub 60 Day 100% Happiness Guarantee

Within 60 days of purchase you can get a 100% refund on any Leanpub purchase, in two clicks.

Now, this is technically risky for us, since you'll have the book or course files either way. But we're so confident in our products and services, and in our authors and readers, that we're happy to offer a full money back guarantee for everything we sell.

You can only find out how good something is by trying it, and because of our 100% money back guarantee there's literally no risk to do so!

So, there's no reason not to click the Add to Cart button, is there?

See full terms...

80% Royalties. Earn $16 on a $20 book.

We pay 80% royalties. That's not a typo: you earn $16 on a $20 sale. If we sell 5000 non-refunded copies of your book or course for $20, you'll earn $80,000.

(Yes, some authors have already earned much more than that on Leanpub.)

In fact, authors have earnedover $13 millionwriting, publishing and selling on Leanpub.

Learn more about writing on Leanpub

Free Updates. DRM Free.

If you buy a Leanpub book, you get free updates for as long as the author updates the book! Many authors use Leanpub to publish their books in-progress, while they are writing them. All readers get free updates, regardless of when they bought the book or how much they paid (including free).

Most Leanpub books are available in PDF (for computers) and EPUB (for phones, tablets and Kindle). The formats that a book includes are shown at the top right corner of this page.

Finally, Leanpub books don't have any DRM copy-protection nonsense, so you can easily read them on any supported device.

Learn more about Leanpub's ebook formats and where to read them

Write and Publish on Leanpub

You can use Leanpub to easily write, publish and sell in-progress and completed ebooks and online courses!

Leanpub is a powerful platform for serious authors, combining a simple, elegant writing and publishing workflow with a store focused on selling in-progress ebooks.

Leanpub is a magical typewriter for authors: just write in plain text, and to publish your ebook, just click a button. (Or, if you are producing your ebook your own way, you can even upload your own PDF and/or EPUB files and then publish with one click!) It really is that easy.

Learn more about writing on Leanpub