Every PHP developer should read the book

Source: Internet
Author: User
PHP applications are often hacked because:

There are too many PHP applications.

It is easy to learn and write.

Bad PHP is also easy to write.

It's that simple. PHP has been popular for years. The more popular PHP is, the more loopholes it finds. The vulnerabilities found by these hackers are rarely the PHP processing engine itself, which is often a weakness of the script itself.

This means that when a PHP application is hacked, most of it is a programmer's error. I'm sorry, but that's the truth.

You can write secure PHP just like any other web language. It's time to start really exploring security issues.

The best protection against PHP hack

Writing secure PHP code is not a secret black art that is hidden from PHP developers. But confidence is so fragmented that you need to spend weeks or months (or not so long) collecting good security practices for some scattered catalogues or rules. Even the real experience will tell you how important it is.

Luckily Ben Edmunds has done it for you. It recently published the Building Secure PHP apps–a Practical Guide, which is one of the best security-related books I have ever read and, of course, it's also best to cover PHP. In this article I will elaborate on why I think every PHP developer should read.

This book is a concise guide that takes you to the next level as a developer to create better, more secure scripts.

Brief introduction

This book quickly enters the common sense rule of web development: Don't trust your users, filter all inputs. Starting with a small scenario, jump to the technical way that users can access the system. The topics of the first chapter are:

SQL injection

Large number of assignment fields

Type conversions

Filter input/Output

These are places that novice PHP (and some veteran) have always been easy to overlook. Filtering input is seen by many as an optional step, and this chapter has been extensively discussed.

During the reading, it reminded me of my first day of work years ago, when I dug in the existing code and found the code for the new user-created script:

if ($_post["isadmin"] = = 1) {//code to set to admin in database}

When I saw this code, I panicked because it was a very effective script that was easily handled by a malicious user, guessed and inserted into a simple form variable, accessing about 5,000 credit card numbers and other personal information.

After digging deep I found the following code:

$sql = "INSERT into database (Id,name,...) VALUES (". $_post["Name"]. ");"

I almost got out of that job on the first day because they were relying on these horrible codes. The code is there, you are responsible for the change, and you must avoid generating more.

This chapter discusses code like this for what is a huge risk, and how to fix it.

HTTPS and certificates

This is another area where Ben contains scripts, stories, and a little bit of humor, as well as a clear explanation of the less clear concept of HTTPS. The way he explains it, even your boss can understand.

This book is a very comprehensive description of how certificates work, the types of certificates, and how they are implemented, even if they are deployed on Apache or Nginx.

Password

This book provides a careful explanation of passwords, hashes, table queries (lookup tables), and salts, which is incredibly helpful for developers to create user login systems.

This is an area that has been extremely scarce even in 2014 years. I can still run into apps that store plain text passwords or like ROT13 encryption "Note 1" to protect their stupid methods. In order for people to use your app and your good name, please don't do it.

Passwords and other sensitive data should be very difficult to obtain and even get all the permissions of the database. This book is a comprehensive and well-rounded guide to designing a better system.

Authentication and access Control

This book contains a very comprehensive range of topics. When you build a new PHP application, some of the primary considerations are:

Who can access which resources?

Who can control the access of other users?

This is an important place to consider applications, especially applications that handle sensitive data. A considerable part of the enterprise development is committed to this. If you improperly establish authentication and access control, the most likely thing to happen is that you make users feel bothered and generate more work. Worse than this is the server data gap and/or data corruption.

This book covers the basics well, and then it's deep into things like controlling a single page of access to files or applications, and a lot of code examples for reference.

Specific use

This book covers some common uses to disrupt systems and explores cross-site scripting in great detail, which can be said to be the most common way for attackers to exploit an application. It explains the different kinds of attacks and how to protect yourself.

Isn't that good? You will be able to purchase books at a discount through this link!

The place where I like the book Best

In the course of reading this book, what I really enjoy is how information is presented in a way that is useful to both beginners and experienced programmers. There are a number of concepts being raised, what they are and how to protect themselves. There are a lot of code examples, not like the "shim" that some technical books have.

You can read through the book very quickly, because there is not much content. Novices can read through the book, check each topic, start looking at their code, and make corrections. Remember that in this case, you need to continue to modify it. If you look back, you'll be ashamed of the code you wrote six months ago, and you're doing the right thing.

More advanced, experienced programmers can use this guide to fill their weaknesses (no matter how long you've been in the business, you have weaknesses, admit it), and better understand the systems they use at work. For example, I've been crazy about using authentication for so many years, but I've never considered it at the level mentioned in this book.

No matter who you are, you will learn something. So don't read this article, go buy a copy! Use this link to buy is discounted!!

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.