Commencez à lire Essential PHP Security sur votre Kindle dans moins d'une minute. Vous n'avez pas encore de Kindle ? Achetez-le ici Ou commencez à lire dès maintenant avec l'une de nos applications de lecture Kindle gratuites.

Envoyer sur votre Kindle ou un autre appareil


Essai gratuit

Découvrez gratuitement un extrait de ce titre

Envoyer sur votre Kindle ou un autre appareil

Désolé, cet article n'est pas disponible en
Image non disponible pour la
couleur :
Image non disponible

Essential PHP Security [Format Kindle]

Chris Shiflett
4.5 étoiles sur 5  Voir tous les commentaires (2 commentaires client)

Prix conseillé : EUR 20,04 De quoi s'agit-il ?
Prix éditeur - format imprimé : EUR 33,32
Prix Kindle : EUR 14,03 TTC & envoi gratuit via réseau sans fil par Amazon Whispernet
Économisez : EUR 19,29 (58%)

App de lecture Kindle gratuite Tout le monde peut lire les livres Kindle, même sans un appareil Kindle, grâce à l'appli Kindle GRATUITE pour les smartphones, les tablettes et les ordinateurs.

Pour obtenir l'appli gratuite, saisissez votre adresse e-mail ou numéro de téléphone mobile.


Prix Amazon Neuf à partir de Occasion à partir de
Format Kindle EUR 14,03  
Broché EUR 24,35  

Descriptions du produit

Présentation de l'éditeur

Being highly flexible in building dynamic, database-driven web applications makes the PHP programming language one of the most popular web development tools in use today. It also works beautifully with other open source tools, such as the MySQL database and the Apache web server. However, as more web sites are developed in PHP, they become targets for malicious attackers, and developers need to prepare for the attacks.

Security is an issue that demands attention, given the growing frequency of attacks on web sites. Essential PHP Security explains the most common types of attacks and how to write code that isn't susceptible to them. By examining specific attacks and the techniques used to protect against them, you will have a deeper understanding and appreciation of the safeguards you are about to learn in this book.

In the much-needed (and highly-requested) Essential PHP Security, each chapter covers an aspect of a web application (such as form processing, database programming, session management, and authentication). Chapters describe potential attacks with examples and then explain techniques to help you prevent those attacks.

Topics covered include:

  • Preventing cross-site scripting (XSS) vulnerabilities
  • Protecting against SQL injection attacks
  • Complicating session hijacking attempts

You are in good hands with author Chris Shiflett, an internationally-recognized expert in the field of PHP security. Shiflett is also the founder and President of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world.

Détails sur le produit

  • Format : Format Kindle
  • Taille du fichier : 514 KB
  • Nombre de pages de l'édition imprimée : 130 pages
  • Utilisation simultanée de l'appareil : Illimité
  • Editeur : O'Reilly Media; Édition : 1 (13 octobre 2005)
  • Vendu par : Amazon Media EU S.à r.l.
  • Langue : Anglais
  • ASIN: B0026OR358
  • Synthèse vocale : Activée
  • X-Ray :
  • Word Wise: Non activé
  • Moyenne des commentaires client : 4.5 étoiles sur 5  Voir tous les commentaires (2 commentaires client)
  • Classement des meilleures ventes d'Amazon: n°189.809 dans la Boutique Kindle (Voir le Top 100 dans la Boutique Kindle)
  •  Souhaitez-vous faire modifier les images ?

En savoir plus sur l'auteur

Découvrez des livres, informez-vous sur les écrivains, lisez des blogs d'auteurs et bien plus encore.

Commentaires en ligne

3 étoiles
2 étoiles
1 étoiles
4.5 étoiles sur 5
4.5 étoiles sur 5
Commentaires client les plus utiles
2 internautes sur 2 ont trouvé ce commentaire utile 
5.0 étoiles sur 5 Un must have 13 janvier 2008
Par Matthieu
Un livre a la sauce oreilly: bien ecrit, efficace, de qualite. celui ci est en plus court et vraiment se focalise sur les problemes qui nous interessent, avec pour chaque type de 'faille securite' un exemple et une explication technique claire.

Un must have pour les developpeurs php.
Avez-vous trouvé ce commentaire utile ?
4.0 étoiles sur 5 bonne synthèse 18 juillet 2014
Par SuN
Format:Broché|Achat vérifié
bonne synthèse, mais on n'apprend pas grand chose de neuf si vous connaissez déjà le sujet. Une mise à jour ne ferait pas de mal.
Avez-vous trouvé ce commentaire utile ?
Commentaires client les plus utiles sur (beta) 4.0 étoiles sur 5  32 commentaires
44 internautes sur 48 ont trouvé ce commentaire utile 
3.0 étoiles sur 5 Good overview of php security matters 2 novembre 2005
Par John A. Suda - Publié sur
You would think that with all of the books being published recently about PHP that everyone and his mother is writing PHP code. This may be true, but even if it is not, it is certain that many people and businesses are using PHP code, in concert with other applications like MySQL, to produce dynamic web sites. This is all well and good because PHP is a high-quality coding language especially well-suited to web applications. It is also open-source, meaning well-supported by a community of coders and developers and cost-free. The one problem is that, like all coding languages, poorly designed or written PHP applications can be security risks potentially allowing Internet miscreants to cause damage to web servers, hosts, and users. It appears to be the case that there are many, many instances of insecure PHP code in use, hence, the value in a targeted book on PHP security, like "Essential PHP Security", by Chris Shiflett.

The author is an internationally-known and accomplished expert on PHP security. He is the founder of the PHP Security Consortium, a group of volunteers who help educate the PHP community, and a well-known contributor to the PHP-general mail digest. The book is designed to provide security information and guidelines and explain the most common types of attacks and how to prevent or repel them.

"Essential PHP Security" is a slight volume of only 109 pages, including index. Shiflett wastes no time and immediately jumps into his topic, starting with his opinion on the use of the PHP concept of "register globals", a configuration setting which he recommends against using in favor of "superglobal arrays". He next turns to how to configure your web server setup to properly deal with error reporting, both for the developer's use and to prevent providing clues to any interloper trying to illegally access your site.

The balance of Chapter 1 itemizes general principles of Internet security: Defense in Depth - redundantly using more than one technique to secure your site; Least Privileges - writing code to minimize access to the least needed for any particular user's needs; Simple is Beautiful - the writing of clear, simple code, to make troubleshooting and auditing easier; and Minimize Exposure - taking steps to design and implement programs to eliminate or at least minimize display of sensitive data or code - don't even store credit card information unless absolutely necessary, he suggests.

Next, comes "Best Practices" - balancing risk vs. usability, keeping track of data, filtering of all input, escaping output, and in all cases, distinguishing between filtered and tainted data. These principles and practices are illustrated with short code snippets comparing insecure vs. more secure code.

The next seven chapters deal with specific elements of a website, the types of attacks that can occur with each, and tips and suggestions on how to deal with these attacks. These elements include vulnerabilities in forms and URLs, databases and SQL, sessions and cookies, PHP "include" files, files and commands, authentication and authorization, and shared hosting.

The author credibly describes by examples the types of attacks against forms and URLs - cross-site scripting, cross site request forgeries, spoofing of forms, and insecure Raw HTTP requests. Authentication attacks include dictionary attacks, password sniffing, replay attacks, and cookie stealing. For each, he briefly describes how the attacks work, shows examples of insecure code, and provides examples of secure code.

For each of the elements dealt with, the author follows the same model: describe briefly the types of attacks against each element, show conventionally-used insecure code, and show how to eliminate the insecure parts of the code. Most of the security defenses entail filtering data from outside sources, especially form input, email, and XML documents from other web applications. Other defense techniques include using SSL for encrypted data transmissions, strengthening identification methods, hard-coding file paths, and using token techniques in addition to PHP encryption functions. Interestingly, Schiflett believes it is impossible to achieve a high level of security in a shared hosting situation. He provides suggestions on what security measures will help the most.

What is most useful about this book is the aggregation in one place of descriptions of all of these security attacks, and vulnerabilities in PHP code, along with suggestions on dealing with them. The organization of the material is good, however. I believe the author falls short in his code examples. There appears to be a disconnect between the descriptive text (which is clear enough) and the examples, which are not, at least to me, a novice in PHP. I could not readily follow the detailed code segments, although I could understand in principle what was going on.

Some of the code segments were barely explained and some were inadequately explained. The concepts of the attacking techniques were understandable, but the detailed implementations were not. There are a small handful of illustrations, but I found them too simplistic and inadequate. To be fair, this may be a failure of the reviewer. More experienced PHP folks may not complain about the presentations. For them, this book gives them what they need to know about handling the security aspects of their applications, but my guess is that it is the less accomplished coders who need the most help (although those same people are probably writing the types of applications and sites least likely to be targeted by miscreants.)

There are three short appendices presenting suggestions on how to configure a PHP installation to minimize weaknesses, suggestions about avoiding certain powerful PHP functions, especially system commands, to minimize risk, and a short segment on cryptography features in PHP.
16 internautes sur 16 ont trouvé ce commentaire utile 
2.0 étoiles sur 5 I wanted so much to love this book 31 décembre 2008
Par Castlebravo - Publié sur
I really wanted to write a glowing review of Mr. Shiflett's book, Essential PHP Security, but I can't help but dissapointed by the weaknesses.

The author's blog ([...]) and PHP security website ([...]) are good sources of information on PHP security and web creation in general. With the wisdom hinted at via his websites, I looked forward to more in depth insights and specifics in his book. Unfortunately for Mr. Shiflett, writing a book is not like writing 'bites' for a blog or marketing yourself as experienced and knowledgable. This book reads like an anthology of blog articles and seminar presentations and that weakness kills what should otherwise really be an essential text.

As another helpful reviewer pointed out, this book is a not appropriate for new PHP programmers. That reviewer also noted that it is precisely new initiates to PHP that need these lessons the most. The protective measures suggested in the book are presented superficially. The author highlights the vulnerability, but then only hints at a protective measure by providing a code snip-it which totally lacks context. Most novice readers expect examples of how to apply and integrate the suggested technique effectively and efficiently within the basics they already know.

Mr. Shiflett writes in his acknowledgements, "Written during one of the busiest years of my life ... [the people at O'reilly] have gone out of their way to make the entire process fit around my writing style and busy schedule."

Smoking gun?

For a full price book, the author had room, but perhaps not the desire to provide more substance. Concise does not have to be superficial. The book's main content is 85 pages -- followed by three appendices between pages 87 and 103. The index runs between pages 105 and 109. Substantive implementation details are missing and should have been included.

For example, in chapter 1 and later in chapter 2, the author recommends filtering input by identifying input, filtering the input, and distinguishing between filtered and unfiltered (tainted) data. This recommendation is explicitly explained twice in the book and repeated throughout. If you expect any examples demonstrating this in practical use, there are none. If you expect a class that exemplifies a way you might integrate this technique with your exsisting code, there is none. In other words, if you want to learn even remotely by example, you may be disappointed by this book.

As a last note, Appendix C talks briefly about cryptography in PHP. Based on this book, cryptography does not appear to be one of the author's strong areas of knowledge. For new PHP programmers who also work with SQL, Mr. Shiflett gives you just enough information to frustrate you (at best -- or hang yourself at worst). The author lists a number of other books and websites about cryptography on the first page of the Appendix. That is his best advice. Also take a look at [...] as an information resource.

In sum, I don't argue with the value of the hints Mr. Shiflett provides in his book, but this book is weak on substance and does not provide the examples necessary to teach the reader that the suggestions are practical for real implementation. Perhaps instead of this book, the many authors of the "How to PHP and MySQL" clone books need to integrate and implement these protective measures in their texts right from the start. Unfortunately, Mr. Shiflett's book does not bridge the existing gap. If you buy this book, expect to be searching other books and the web for ways to effectively and efficiently perform the tasks the author recommends. If you already know how to implement the measures, you probably did not need this book in the first place.
10 internautes sur 10 ont trouvé ce commentaire utile 
4.0 étoiles sur 5 Good overview of PHP security issues to date 23 novembre 2005
Par Sam - Publié sur
This long awaited work from who many refer to as the guru of PHP security is finally out.

I must say though, when it arrived in the mail, I was a bit surprised by the package. Rather than the typical book box you get, it was in a padded envelope and upon opening the package I saw that the book was a mere 109 pages (with appendices starting on page 87).

As I began to read the book, I started to realize some of the reasons for the small size. Chris stays completely on topic with PHP security and doesn't meander into subjects such as Linux server administration and security, which other (larger) texts do to quite a large extent. I acually went to another PHP security text I had recenty read, and if I took out the sysadmin sections, it left about the same amount of pages as Chris's book. Also Chris's approach to PHP security seems to be a very 'keep it simple one'. He doesn't get into elaborate security frameworks and application layers. He simply defines a PHP security issue, and provides a strait forward and simple solution for the problem. I agree with this approach since over engineering a solution, breeds complexity and complexity can easily mask, you guessed it, "security issues".

I would say what I liked most about this book is that he brought to light the security concerns when running on a shared host. I think this topic if very often neglected on the majority of PHP security articles and texts even though many of us use shared hosting due to how cheep it is. Chris devotes an entire chapter to the situation and clearly explains the vast security risks that come with shared hosting and gives examples of how to mitigate the risks.

I would actually recommend this book to just about any PHP programmer for the simple fact that it is a great catalog of PHP security risks to date and offers simple solutions to counter those risks. Since it is a quick read it is an excellent way to quickly see if you have your bases covered when it come to security of your PHP app. Some of the examples are a bit brief, but the fact that you have read Chris's book and been alerted to the security issue is the real value in the end. You can always go to [...] or other sites for expanded examples.

"Knowing is half the battle"

GI Joe
17 internautes sur 19 ont trouvé ce commentaire utile 
5.0 étoiles sur 5 Essential Indeed 24 octobre 2005
Par R. Peake - Publié sur
This book helped me identify and report a critical security vulnerability in a commercial third party PHP application we were planning to deploy in a business-critical fashion. For that alone, it was worth its weight in gold.

This books is the antidoe to the common misperception that PHP applications fall short on security. With sparkling clarity, Chris demystifies dozens of attacks and provides both solid theoretical and practical bases for coding securely in PHP. Throughout his work as a PHP security consultant, and culminating in this book, Chris has defined the lexicon for web security -- telling us precisely what it means to filter input, and precisely what it means to escape output -- as well as when, how and why. This is nothing short of a defining work on web application security as it applies specifically to PHP.

While this book does not cover using encoders (like the Zend Encoder or IonCube Encoder) to heighten security in a plain-text scripting language, every other topic you would expect to be covered is treated -- above all -- with accuracy, and all in just over a hundred pages. Where other authors might potificte to fill pages, Chris crafted this book to live up to its title -- it is indeed essential, distilled, and precise. Therefore there is little excuse from this point on to not have read it at least once, and thumb through it from time to time when developing or auditing a PHP application. I intend to make it required reading in my department, and recommend it highly to colleagues in other companies developing web applications in PHP.
9 internautes sur 10 ont trouvé ce commentaire utile 
5.0 étoiles sur 5 Essential Security & Good Practices 8 novembre 2005
Par Justin Koivisto - Publié sur
This is the first technical book that I have read that doesn't obscure the topic with trivial details or complicated sentence structures with phrasing that is hard to follow. The thing I like best about the book is that it introduces a technique in detail and uses it throughout the book. Because every chapter refers back to the original "filter input, escape output" theme coupled with defense in depth, it forces the user to concentrate on a single, simple method and apply it to many different situations.

The example code segments in the book illustrate specific points described in the copy very well. Keeping the code examples simple only strengthens its meaning since the reader is not forced to analyze the code. Additional comments in the examples may be helpful for inexperienced developers.

In addition providing insight on filtering input and escaping output, Chris also gives the reader insight to a very helpful way of dealing with the filtered/escaped data within the code. This method is illustrated in all the examples, and as the reader notices it used throught the book they can learn its usefulness by example.
Ces commentaires ont-ils été utiles ?   Dites-le-nous
Rechercher des commentaires
Rechercher uniquement parmi les commentaires portant sur ce produit

Discussions entre clients

Le forum concernant ce produit
Discussion Réponses Message le plus récent
Pas de discussions pour l'instant

Posez des questions, partagez votre opinion, gagnez en compréhension
Démarrer une nouvelle discussion
Première publication:
Aller s'identifier

Rechercher parmi les discussions des clients
Rechercher dans toutes les discussions Amazon

Rechercher des articles similaires par rubrique