About the Author

Chris Shiflett

Hi, I'm Chris, a web developer and a founding member of Analog. I live and work in Brooklyn, NY.

PHPSecurity.org Launches

PHPSecurity.org, the companion web site for my new book, Essential PHP Security, is now online. Many thanks to Amy Hoy for the excellent design!

I've included the table of contents, the (unfortunate) errata, some reviews, and the code repository.

Some of the examples in the code repository might raise ethical concerns, but I tried to be very careful not to provide full-featured tools that script kiddies can use. For example, the session injection script only lets you modify strings and is split into two separate examples (edit.php and inject.php), and the script to let you browse the filesystem is very basic. I've considered enhancing these to make them more useful (and more robust), but I fear they would be misused. What do you think?

The reviews have been very good. I'm happy to see that so many people appreciate the book's small size and focus. Thanks to everyone who has taken the time to record your thoughts. I really appreciate it!

Several people have asked how the book is selling, and I honestly don't know. It has frequently been on Technorati's Popular Books list as well as in the top 10 PHP books on Amazon. I haven't found a really good site for tracking the Amazon Sales Rank, but Rankforest isn't bad (and they use PHP). Anyone have any better suggestions?

The sample chapter for MySQL's Developer Zone still hasn't been posted, but hopefully that will happen soon. Until then, you can read Chapter 4, Sessions and Cookies (PDF) or get your own copy. :-)

About This Post

PHPSecurity.org Launches was posted on Wed, 07 Dec 2005 at 03:02:51 GMT.

7 Comments

1. Robert's GravatarRobert said:

I think it's great that you give such consideration to ethics before posting code that could be used by script kiddies. Such thinking seems all too rare in a culture that rewards shock value, though among serious security professionals a strong ethical standard is required for a good reputation. Congrats on the launch of the site!

Wed, 07 Dec 2005 at 07:05:09 GMT Link

2. Sipke Jan Sangers's GravatarSipke Jan Sangers said:

Hey

I've been reading this site for a while now and i think its verry interessting. After reading chapter 4 wich had a lot of things u also have in the articles section, You mentioned a couple of ways for security. You said one has to find the balance between security and reliability. I was wondering if u can't just combine all the security measures togheter, reffering to using a token and using the User-Agent.

At the moment I made my own session_set_save_handler

I'm thinking about adding encryption to that. Furtermore I use the user-agent check and a formtoken. I have several php files and use Post to get the information users may have inserted. Do u think my site would be save?

Anyway I think your doing really great work and I wouldn't mind seeing more of guru speak wich was also verry interessting. It's probably long gone from your agenda, but I just wanted to say it.

-Sipke Jan Sangers, NL

Wed, 07 Dec 2005 at 08:02:38 GMT Link

3. Chris Shiflett's GravatarChris Shiflett said:

Hi Robert,

I understand what you mean about some security "professionals" being interested in shock value.

In this case, I think the ethical boundaries are fuzzy. With better tools, security-conscious PHP developers would benefit, but so would potential attackers. I'd really like to enhance some of the examples from the book, but I'm not sure where where the best balance lies. In the end, I just want to help people.

Thanks for the congrats. :-)

Wed, 07 Dec 2005 at 20:56:08 GMT Link

4. Chris Shiflett's GravatarChris Shiflett said:

Hi Spike,

Regarding the balance between security and reliability, I might have been unclear. In that particular instance, I was pointing out that using a token based on the User-Agent header is less reliable than one randomly generated. There are some ways around the reliability problems (and they only affect a very, very small fraction of users), but I didn't want to distract readers from the topic at hand.

You could enforce User-Agent consistency and use a randomly generated token, but this offers no additional protection over using a token based on the User-Agent header. In both cases, an attacker must accomplish three things in order to successfully hijack a session:

1. Present a valid session identifier.

2. Reproduce the User-Agent header associated with that session.

3. Reproduce the token associated with that header.

It sounds like you're definitely on the right track with your security safeguards. Just make sure to consider security a process. Ilia had a good quote in a recent security talk:

"A good measure of a secure application is its ability to predict and prevent future security problems before someone devises an exploit."

Thanks very much for your kind words. Guru Speak is still being published regularly in PHP Magazine. I'm behind on posting the articles to my web site, but I'll try to catch up soon. :-)

Wed, 07 Dec 2005 at 21:04:57 GMT Link

5. Chris Shiflett's GravatarChris Shiflett said:

Wow, a friend just pointed out that PHPSecurity.org has been posted to del.icio.us more than 40 times already:

http://del.icio.us/url/e5a3201fa1f1...b1571aec20f803a

According to populicio.us, it's the 18th most popular new site today.

Very cool. :-)

Thu, 08 Dec 2005 at 06:07:06 GMT Link

6. Nima's GravatarNima said:

Hi, I've just received my copy of your book, because I'm living in Iran, I couldn't order it normally. :( Thanks to my friend in Hungary who bought the book and sent it to me :)

Also, I read your great articles every month on php|arch and very pleasure that you descide to put all those great things together and form a must readable resource on php security.

I'm very exciting reading your great solutions about securing my php web apps.

Thanks my guru. ;)

Fri, 09 Dec 2005 at 05:21:46 GMT Link

7. steven romej's Gravatarsteven romej said:

Chris, I like the site and have enjoyed the sample chapter on sessions. Thanks for trying Rankforest. I'm working on a new version of the site and would appreciate any feedback or suggestions (better charts, data exporting...)

Thanks

Sat, 10 Dec 2005 at 03:17:38 GMT Link

Post A Comment

Personal Details and Comment

Style Guide

Line breaks are converted to paragraphs. Also use:

  • <a href="" title="">text</a>1
  • <em>text</em>
  • <blockquote><p>text</p></blockquote>
  • <code>2  <?php  if ($foo) {      $foo = TRUE;  }  ?></code>
  1. Note: <code> can be used inline (e.g. in paragraphs) or in a block as shown. Include whitespace and newlines in blocks.

Please enter Chris (my first name) below. This is a primitive spam prevention technique, and I apologize for the inconvenience.

Preview and Submit

Upcoming Talks

ConFoo

10 - 12 Mar 2010

At Hilton Montréal Bonaventure, Montréal, Canada.

South by Southwest

12 - 16 Mar 2010

At Austin Convention Center, Austin, Texas.

Dutch PHP Conference

10 - 12 Jun 2010

At TBD, Amsterdam, Netherlands.

O'Reilly Open Source Convention

19 - 23 Jul 2010

At Oregon Convention Center, Portland, Oregon.

New Comments

liukang wrote:

I have problem with this example. In my php.ini magic_quotes_gpc is off so i'm using only addsla...

Posted in addslashes() Versus mysql_real_escape_string()
RyanTheGreat wrote:

Well, I'm not Chris, but I will do my best to address the questions raised in the comments by Ian...

Posted in Security Corner: Cross-Site Request Forgeries
Chris Shiflett wrote:

Thanks for the kind words, Simon. I'm glad you liked the tutorial. In case it's helpful, here'...

Posted in Webstock
Chris Shiflett wrote:

Hi Robin, I plan to post something about it, but it's going to be hard to express everything i...

Posted in Webstock
Simon Mahony wrote:

Hi Chris, I really enjoyed your workshop on the Evolution of Security at Webstock. I think I g...

Posted in Webstock

Browse Comments

Work and Books

Analog Essential PHP Security HTTP Developer's Handbook