About the Author

Chris Shiflett

Hi, I’m Chris: web craftsman, community leader, husband, father, and partner at Fictive Kin.

Essential PHP Security Is Finished!

A little over a month ago, I finally finished writing Essential PHP Security, a guide to secure PHP programming that I've been working on in my spare time for quite a while.

I'm really happy with the results. The people at O'Reilly have been great to work with, and I was lucky enough to have some of the best technical reviewers an author could ask for (Adam, David, George, and John). The result is a lean 150 page guide that covers what I feel are the most important topics with which a PHP developer should be familiar.

The book is due to be published in October (in time for the Zend PHP Conference and Expo), but you can buy it from Amazon today. As Adam jokingly suggests in his infamous email signature, "avoid the holiday rush - buy your copy today!"

I focus on Apache and MySQL, but the principles apply to any platform. In fact, web developers using languages other than PHP might learn something. I hope so. :-)

Each chapter focuses on a specific category of PHP development, and you are shown the most common and dangerous attacks associated with that particular category. Here is the final table of contents:

    Foreword by Andi Gutmans

1. Introduction
    PHP Features
        Register Globals
        Error Reporting
        Defense in Depth
        Least Privilege
        Simple Is Beautiful
        Minimize Exposure
        Balance Risk and Usability
        Track Data
        Filter Input
        Escape Output

2. Forms and URLs
    Forms and Data
    Semantic URL Attacks
    File Upload Attacks
    Cross-Site Scripting
    Cross-Site Request Forgeries
    Spoofed Form Submissions
    Spoofed HTTP Requests

3. Databases and SQL
    Exposed Access Credentials
    SQL Injection
    Exposed Data

4. Sessions and Cookies
    Cookie Theft
    Exposed Session Data
    Session Fixation
    Session Hijacking

5. Includes
    Exposed Source Code
    Backdoor URLs
    Filename Manipulation
    Code Injection

6. Files and Commands
    Traversing the Filesystem
    Remote File Risks
    Command Injection

7. Authentication and Authorization
    Brute Force Attacks
    Password Sniffing
    Replay Attacks
    Persistent Logins

8. Shared Hosting
    Exposed Source Code
    Exposed Session Data
    Session Injection
    Filesystem Browsing
    Safe Mode

A. Configuration Directives

B. Functions

C. Cryptography

I plan to launch a companion web site in time for the book's publication, and I will post code samples (I created a few utilities in order to demonstrate some attacks) and aggressively keep up with any errata that is discovered.

Now, I can finally start contributing to other things again. :-) I hope you enjoy the book, and I hope it helps.

About this post

Essential PHP Security Is Finished! was posted on Sat, 10 Sep 2005. If you liked it, follow me on Twitter or share:


1.Jason Sweat said:

Congratulations Chris!! I know you have to have a great sense of satisfaction from completion of this project, and probably even more so when you hold the real thing in your hands.

May you have much sucess with your book, and hopefully help people to build a more secure internet :)

Sun, 11 Sep 2005 at 03:36:42 GMT Link

2.Paul Reinheimer said:

Dude, you're book is really short. What took so long? I don't feel bad being so far behind with mine anymore.

Sun, 11 Sep 2005 at 05:21:58 GMT Link

3.Joe Grossberg said:

Congrats, but ...

I agree with Paul's assessment if the Amazon details are accurate: a cover price of $39.95 for just 128 pages?

(Yes, I realize it's an apples-and-oranges comparison with Wrox, given their lengthy code samples.)

Is it going to be available on safari.oreilly.com?

Sun, 11 Sep 2005 at 11:09:13 GMT Link

4.Christian Wenz said:

Congratulations!! :-)

Sun, 11 Sep 2005 at 11:44:36 GMT Link

5.Steve Mallett said:

Grats! What a weight off your shoulders.

Sun, 11 Sep 2005 at 13:01:29 GMT Link

6.Matthom said:

Cool... I might pick up a copy. Sounds like an interesting topic.

Sun, 11 Sep 2005 at 13:27:27 GMT Link

7.Joe Grossberg said:

Let me follow up by emphasizing the "congrats" part. I don't want you to think I'm raining on your parade; just giving feedback.

Sun, 11 Sep 2005 at 13:40:43 GMT Link

8.Chris Shiflett said:

Thanks, everyone. :-) Yes, it is a relief to be finished.

Paul and Joe, I aim for quality, not quantity. That might be a tired cliche, but it applies here. It is challenging to keep a book very tight and focused, and that was my goal from the beginning. I wanted the highest value to page count ratio I could deliver.

If people make the effort to read what I've written, I want to make sure not to waste their time. That's the least I can do, and readers should demand that.

I also think security is a neglected topic within our community, and I want to encourage people to actually read this book instead of displaying it proudly among their other tomes on the shelf. I want this one to be on desks, in backpacks, and even on the back of the toilet. :-)

Sun, 11 Sep 2005 at 13:48:31 GMT Link

9.G Wild said:

Outstanding, and congratulations.

Hmm - I previously saw a slideshow which I thought showed a slightly different creature on the front cover. I must be getting old. :)

Sun, 11 Sep 2005 at 14:06:34 GMT Link

10.Joe Grossberg said:

Oh, no doubt.

I'm just saying that this is going on the company Amex, not my personal Visa.

I might get it on O'Reilly, though.

Mon, 12 Sep 2005 at 00:37:28 GMT Link

11.Luke S. K. said:

Grats on the release, Chris! I'm looking forward to my copy arriving at my doorstep. :)

Mon, 12 Sep 2005 at 13:32:18 GMT Link

12.David said:

Congrats, Chris!

Mon, 12 Sep 2005 at 13:43:58 GMT Link

13.Robert said:

Congratulations, Chris! This is no small accomplishment.

And now the important question: Is that a Komodo dragon? Did you draw it yourself? ;)

Tue, 13 Sep 2005 at 16:53:22 GMT Link

14.David Coallier said:

Congrats Chris :) I know you worked hard on that!

Glad to see it's out! :)

Tue, 13 Sep 2005 at 18:52:42 GMT Link

15.Ben Ramsey said:

Congratulations, Chris!

I imagine it's no small coincidence that O'Reilly used a dragon on the cover. ;-)

Wed, 14 Sep 2005 at 19:09:18 GMT Link

16.Ammar Ibrahim said:

Hats off. You did it again! Well done man

Thu, 15 Sep 2005 at 01:42:17 GMT Link

17.Aaron Wormus said:

Congratulations! So, how are you going to get rid of your extra copies?

You know, we never found out what that Shiflett Clock was all about...

Tue, 04 Oct 2005 at 18:26:27 GMT Link

18.Paul Reinheimer said:

Hey, Some of us solved that clock!

Tue, 04 Oct 2005 at 21:39:23 GMT Link

19.Ian Leckey said:

Well done on finishing the book. Can't wait to have a read.

Thu, 27 Oct 2005 at 12:18:22 GMT Link

20.Golf Guy said:

Congratulations! Can't wait to get a copy of your book. Looks like a GREAT READ!

Wed, 11 Jan 2006 at 22:23:32 GMT Link

21.Ian Leckey said:

hi again, just bought the book not so long ago. I just have to say well done... its a good read with some very useful tips.

Mon, 20 Feb 2006 at 10:15:02 GMT Link

22.khalid said:

hi chris , i have just read this book. it's quite good. i also think it may be more explanatory than it is right now.but still this effort of yours is "best" as of now.I expect more from you on the same topic very soon.

Thanks :)

Mon, 31 Jul 2006 at 07:28:40 GMT Link

Hello! What’s your name?

Want to comment? Please connect with Twitter to join the discussion.