Essential PHP Security Lives!

I've got my book pre-ordered (Released in November in the UK). I can't wait to read it, I've always been interested in PHP's security although I hadn't found any good books on it, until now!

The sample chapter looks good, a nice taster of what the book will be like hopefully.

Fri, 14 Oct 2005 at 17:52:51 GMT Link

The cover looks great, Chris -- and I like the catchphrase. I'm sure the contents are just as clever.

Congratulations!

Fri, 14 Oct 2005 at 18:12:23 GMT Link

I just preordered a copy. I should receive it in mid December. If it is as good as the content you share with us on this site, it will be great!

Fri, 14 Oct 2005 at 20:35:44 GMT Link

Order Date: September 11, 2005

Recipient: Trevor Turk

Items not yet shipped:

Delivery estimate: November 15, 2005

1 of: Essential PHP Security

:(

Perhaps it will get shipped sooner - but I can't wait. Not to brown-nose too much, but I really really appreciate your writing style. I find the way you explain the issues - instead of just throwing out chunks of code - to really help me get a grasp on the problems that are being discussed.

Fri, 14 Oct 2005 at 22:45:53 GMT Link

I preordered this in September, and it looks like mid December is the delivery window.

It will go well with the FIEO/phpsec.org shirt I purchased from cafepress....

Sat, 15 Oct 2005 at 13:47:11 GMT Link

I'm waiting for my copy :) it should be here anytime soon. Will try my best to write a review!

Sun, 16 Oct 2005 at 02:54:34 GMT Link

Gotta dig out the discount code for O'reilly. Got to have this :)

Mon, 17 Oct 2005 at 07:31:53 GMT Link

If you like what you read, please blog about it and post a review on Amazon. If you don't like it--are you crazy??--please email me (tatiana@oreilly.com) and let me know what we could have done differently. Thanks!!!

PS Chris, still hooked on the pumpkin spice lattes. And, you're right, they stain.

Wed, 19 Oct 2005 at 14:00:38 GMT Link

Great work, as always!

"To avoid this unnecessary exposure [Cookies sent for images], you might consider serving all embedded resources from a server with a different domain name."

It may be more practical for more users on inexpensive hosts to put their session/protected content in a different sub-directory, and then tie the Cookie to only that sub-directory, while keeping the images (et al) in a different directory not under the session/protected directory.

Many inexpensive hosts don't make it easy to add/manage sub-domains and tie them to different directories.

But you can always do:

/session -- all session-oriented pages

/images -- images needed for session-oriented pages

If your Cookie is sent only for "/session" directory, rather than the default "/", then the images won't be getting the un-needed Cookie.

Just an idea for my fellow cheap-skates :-)

For the next edition, I'd also suggest pointing out that Session data on a shared server is particularly vulnerable if it is not encrypted.

Thu, 20 Oct 2005 at 22:44:13 GMT Link

Just received my copy but haven't read it yet.

http://phpsecurity.org/ is a little disappointing, however - will this page be expanded to include code downloads?

Mon, 07 Nov 2005 at 09:14:24 GMT Link

Hi Chris,

My compliments for the book. If I have some more time I'll place a review on amazon too, but for now:

- Very clear writing style. That's one thing that's really important, especially with this subject.

- To the point. No long stories or ramblings, just straight to the most important potential problems and solutions for them.

- The book makes the underlying problems very clear.

- The message of the book: filter input, escape output and defense in depth is really clear

These are all very positive points. I have read some other recently released php security books but those are a lot harder to read and digest (and therefore hard to learn from).

The only constructive critique/suggestion I would like to give:

- As a (relative) beginner I would like to see more examples of how to implement the principles and solutions to applications. I understand it's more important to understand the underlying principles and then being able to apply those yourself. But still, some more examples would be helpfull. Maybe a good idea for a follow up of the book. "How to build secure apps"?

For example, the example given in the security guide pdf about the simple but safe messageboard was really helpfull.

Thanks again, I really appreciate all your efforts!

Matthijs

Thu, 10 Nov 2005 at 08:07:23 GMT Link

What's happened to the code? Bit sloppy just putting # into a link. If you haven't done it yet, say so!

Sun, 04 Dec 2005 at 21:15:40 GMT Link