Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security CISSP-Discussion
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[CISSP-D] REVIEW: "Essential PHP Security", Chris Shiflett

from [Rob, grandpa of Ryan, Trevor, Devon & Hannah] Network Security [Permanent Link]
Subject: [CISSP-D] REVIEW: "Essential PHP Security", Chris Shiflett
Date: Mon, 31 Mar 2008 15:15:33 -0800 
BKEPHPSC.RVW   20071123

"Essential PHP Security", Chris Shiflett, 2006, 0-596-00656-X,
U$29.95/C$41.95
%A   Chris Shiflett shiflett.org
%C   103 Morris Street, Suite A, Sebastopol, CA   95472
%D   2006
%G   0-596-00656-X
%I   O'Reilly & Associates, Inc.
%O   U$29.95/C$41.95 707-829-0515 fax: 707-829-0104 nuts@ora.com
%O  http://www.amazon.com/exec/obidos/ASIN/059600656X/robsladesinterne
  http://www.amazon.co.uk/exec/obidos/ASIN/059600656X/robsladesinte-21
%O   http://www.amazon.ca/exec/obidos/ASIN/059600656X/robsladesin03-20
%O   Audience s- Tech 2 Writing 1 (see revfaq.htm for explanation)
%P   109 p.
%T   "Essential PHP Security"

PHP is an acronym (albeit a somewhat recursive one, standing for PHP:
Hypertext Preprocessor) but neither the foreword, preface, book, nor
index expands it.  Similarly, the intent of the book is not clarified
in either the foreword or the preface.

Chapter one does state that the purpose of the text is to teach how to
write secure code (with security left undefined) using features unique
to PHP.  However, only two such distinctive functions are listed in
this section, and they are not explained very well.  (Three appendices
at the end of the work do list some PHP commands related to the
security conventions noted.)  More space is devoted to general
application development principles and practices for safe programming. 
Even there the solutions provided are outlined in terms of source code
rather than text, and the content requires an intimate knowledge of
PHP in order to derive value from the lessons presented.  In
discussing forms and URLs (Uniform Resource Locators), chapter two
distinguishes between filtered and tainted data, as well as GET and
POST form submissions, but does not initially examine the possibility
of user observation and deliberate malforming of submitted data. 
Where details are provided on security, they are introduced with
coding examples, and, again, the effectiveness of the proposed
solutions are unclear unless the reader is well familiar with PHP
internals.  The database and SQL (Structured Query Language)
programming styles suggested in chapter three are good, but it is far
from clear that the filtering recommended will, in fact, prevent all
possibility of SQL injection attacks.  Chapter four examines sessions
and cookies: the explanations here also rely on understanding the
source code.

Chapter five, in talking about includes, is mostly concerned with
placing the files outside the root directory.  Much the same emphasis
is present in regard to files and commands (particularly with respect
to file traversal) in chapter six, although there is some discussion
of command injection.  Once again, the specifics in regard to
authentication and authorization are material only in the source code
examples in chapter seven.  The text of chapter eight explicitly
admits that the ability to address security issues in shared hosting
environments is weak.

For those who are thoroughly experienced in PHP programming, this book
does recommend styles that can result in more secure Web applications. 
However, novice programmers, or even programmers experienced in other
languages, will have difficulty using the material effectively.

copyright Robert M. Slade, 2007   BKEPHPSC.RVW   20071123


======================  (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca     slade@victoria.tc.ca     rslade@computercrime.org
In answer to the question of why it happened, I offer the modest
proposal that our Universe is simply one of those things which
happen from time to time.                          - Edward P. Tryon
http://victoria.tc.ca/techrev/rms.htm

------------------------------------

Yahoo! Groups Links

<*> To visit your group on the web, go to:
    http://groups.yahoo.com/group/CISSP-Discuss/

<*> Your email settings:
    Individual Email | Traditional

<*> To change settings online go to:
    http://groups.yahoo.com/group/CISSP-Discuss/join
    (Yahoo! ID required)

<*> To change settings via email:
    mailto:CISSP-Discuss-digest@yahoogroups.com 
    mailto:CISSP-Discuss-fullfeatured@yahoogroups.com

<*> To unsubscribe from this group, send an email to:
    CISSP-Discuss-unsubscribe@yahoogroups.com

<*> Your use of Yahoo! Groups is subject to:
    http://docs.yahoo.com/info/terms/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [CISSP-D] REVIEW: "Essential PHP Security", Chris Shiflett, Rob, grandpa of Ryan, Trevor, Devon & Hannah <=
Previous by Date:  [CISSP-D] ISC2 Membership In Question, desertprairierabbit
Next by Date:  [CISSP-D] File - ++CISSP-Discuss.doc, CISSP-Discuss
Previous by Thread:  [CISSP-D] ISC2 Membership In Question, desertprairierabbit
Indexes:  [Date] [Thread] [Top] [All Lists]