Foreword Preface 1. Introduction PHP Features Principles Practices 2. Forms and URLs Forms and Data Semantic URL Attacks File Upload Attacks Cross-Site Scripting Cross-Site Request Forgeries Spoofed Form Submissions Spoofed HTTP Requests 3. Databases and SQL Exposed Access Credentials SQL Injection Exposed Data 4. Sessions and Cookies Cookie Theft Exposed Session Data Session Fixation Session Hijacking 5. Includes Exposed Source Code Backdoor URLs Filename Manipulation Code Injection 6. Files and Commands Traversing the Filesystem Remote File Risks Command Injection 7. Authentication and Authorization Brute Force Attacks Password Sniffing Replay Attacks Persistent Logins 8. Shared Hosting Exposed Source Code Exposed Session Data Session Injection Filesystem Browsing Safe Mode A. Configuration Directives B. Functions C. Cryptography Index
Chris Shiflett has been developing Web applications with PHP for a number of years. He is the author of the HTTP Developer's Handbook and frequently writes about Web application security. As an open source advocate, he maintains several open source projects and is a member of the PHP development team. Chris is currently writing the PHP Security Handbook to be published by O'Reilly and Associates.
You've heard the nasty stories about PHP sites being wiped off the web by evil hackers? Sadly it's not scare-mongering as it does happen, and as much as we love PHP it needs proper security to keep your site safe from harm. Plenty of PHP books have the odd chapter on security but at last O'Reilly have published a whole volume dedicated to the cause, with all the code you'll need to keep everything in order. Each chapter covers a different aspect of the application, from form processing to database programming and session management. Written in a straight forward style, it's ideal for every PHP user, but at GBP20 you might expect a little more than just 100 pages." .NET, November 2005 "If you write PHP scripts, get a copy" - Alain Williams, news@UK, March 2006