Securing PHP web applications / Tricia Ballad, William Ballad.

Format:

Book

Author/Creator:

Ballad, Tricia.

Contributor:

Ballad, Bill.

Language:

English

Subjects (All):

PHP (Computer program language).

Web services--Security measures.

Web services.

Internet--Computer programs--Security measures.

Internet.

Application software--Development.

Application software.

PHP (Computer program language)--Security measures.

Web services--Security measures--Computer programs.

Internet--Development.

Physical Description:

1 online resource (xv, 308 p. ) ill. ;

Edition:

1st edition

Place of Publication:

Upper Saddle River, NJ : Addison-Wesley, c2009.

Language Note:

English

System Details:

text file

Summary:

Easy, Powerful Code Security Techniques for Every PHP Developer Hackers specifically target PHP Web applications. Why? Because they know many of these apps are written by programmers with little or no experience or training in software security. Don’t be victimized. Securing PHP Web Applications will help you master the specific techniques, skills, and best practices you need to write rock-solid PHP code and harden the PHP software you’re already using. Drawing on more than fifteen years of experience in Web development, security, and training, Tricia and William Ballad show how security flaws can find their way into PHP code, and they identify the most common security mistakes made by PHP developers. The authors present practical, specific solutions–techniques that are surprisingly easy to understand and use, no matter what level of PHP programming expertise you have. Securing PHP Web Applications covers the most important aspects of PHP code security, from error handling and buffer overflows to input validation and filesystem access. The authors explode the myths that discourage PHP programmers from attempting to secure their code and teach you how to instinctively write more secure code without compromising your software’s performance or your own productivity. Coverage includes Designing secure applications from the very beginning–and plugging holes in applications you can’t rewrite from scratch Defending against session hijacking, fixation, and poisoning attacks that PHP can’t resist on its own Securing the servers your PHP code runs on, including specific guidance for Apache, MySQL, IIS/SQL Server, and more Enforcing strict authentication and making the most of encryption Preventing dangerous cross-site scripting (XSS) attacks Systematically testing yourapplications for security, including detailed discussions of exploit testing and PHP test automation Addressing known vulnerabilities in the third-party applications you’re already running Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals, and more. Whether you write Web applications professionally or casually, or simply use someone else’s PHP scripts, you need this book–and you need it now, before the hackers find you!

Contents:

Cover

Contents

Acknowledgments

About the Authors

Part I: Web Development Is a Blood Sport-Don't Wander onto the Field Without a Helmet

Chapter 1 Security Is a Server Issue and Other Myths

Reality Check

Security Is a Server Issue

Security Through Obscurity

Native Session Management Provides Plenty of Security

My Application Isn't Major Enough to Get Hacked"

The "Barbarians at the Gate" Syndrome

Wrapping It Up

Part II: Is That Hole Really Big Enough to Drive a Truck Through?

Chapter 2 Error Handling

The Guestbook Application

Users Do the Darnedest Things . . .

Building an Error-Handling Mechanism

Chapter 3 System Calls

Navigating the Dangerous Waters of exec(), system(), and Backticks

Using escapeshellcmd() and escapeshellarg() to Secure System Calls

Create an API to Handle All System Calls

Patch the Guestbook Application

Part III: What's In a Name? More Than You Expect

Chapter 4 Buffer Overflows and Variable Sanitation

What Is a Buffer, How Does It Overflow, and Why Should You Care?

Prevent Buffer Overflows by Sanitizing Variables

Patch the Application

Chapter 5 Input Validation

New Feature: Allow Users to Sign Their Guestbook Comments

The Problem: Users Who Give You More Than You Asked For

Assumptions: You Know What Your Data Looks Like

The Solution: Regular Expressions to Validate Input

Chapter 6 Filesystem Access: Accessing the Filesystem for Fun and Profit

Opening Files

Creating and Storing Files

Changing File Properties Safely

Patching the Application to Allow User-Uploaded Image Files

Part IV: "Aw come on man, you can trust me"

Chapter 7 Authentication

What Is User Authentication?

Privileges

How to Authenticate Users.

Storing Usernames and Passwords

Patching the Application to Authenticate Users

Chapter 8 Encryption

What Is Encryption?

Choosing an Encryption Type

Password Security

Patching the Application to Encrypt Passwords

Chapter 9 Session Security

What Is a Session Variable?

Major Types of Session Attacks

Patching the Application to Secure the Session

Chapter 10 Cross-Site Scripting

What Is XSS?

Reflected XSS

Stored XSS

Patching the Application to Prevent XSS Attacks

Part V: Locking Up for the Night

Chapter 11 Securing Apache and MySQL

Programming Languages, Web Servers, and Operating Systems Are Inherently Insecure

Securing a UNIX, Linux, or Mac OS X Environment

Securing Apache

Securing MySQL

Chapter 12 Securing IIS and SQL Server

Securing a Windows Server Environment

Securing IIS

Securing SQL Server

Chapter 13 Securing PHP on the Server

Using the Latest Version of PHP

Using the Security Features Built into PHP and Apache

Using ModSecurity

Hardening php.ini

Chapter 14 Introduction to Automated Testing

Why Are We Talking About Testing in a Security Book?

Testing Framework

Types of Tests

Choosing Solid Test Data

Chapter 15 Introduction to Exploit Testing

What Is Exploit Testing?

Fuzzing

Testing Toolkits

Proprietary Test Suites

Part VI: "Don't Get Hacked" Is Not a Viable Security Policy

Chapter 16 Plan A: Designing a Secure Application from the Beginning

Before You Sit Down at the Keyboard . . .

Identifying Points of Failure

Chapter 17 Plan B: Plugging the Holes in Your Existing Application

Set Up Your Environment

Application Hardening Checklist.

Wrapping It Up

Epilogue: Security Is a Lifestyle Choice: Becoming a Better Programmer

Avoid Feature Creep

Write Self-Documenting Code

Use the Right Tools for the Job

Have Your Code Peer-Reviewed

Appendix: Additional Resources

PEAR

Books

Web Sites

Tools

Integrated Development Environments (IDE) and Frameworks

Exploit Testing Tools

Automated Testing Tools

Glossary.

Notes:

Bibliographic Level Mode of Issuance: Monograph

Includes bibliographical references (p. 285-288) and index.

Description based on publisher supplied metadata and other sources.

ISBN:

9786612648779

9780321574336

0321574338

9781282648777

1282648772

9780321574329

032157432X

9780321574312

0321574311

OCLC:

1027164636