Every PHP developer should read a book, a PHP developer. Every PHP developer should read books. PHP developer PHP has a poor reputation in recent years. There is a lot of discussion about its poor design summary and syntax conflicts, but the main complaints are the books that every PHP developer should read.
PHP has a poor reputation in recent years. There is a lot of discussion about its "bad design summary" and syntax conflicts, but the main complaints are usually security. Many PHP sites are hacked in minutes. some experienced and knowledgeable programmers may say that the language is not safe.
I always disagree with this, because of the common sense, there are so many PHP security violations.
PHP applications are often hacked because:
- There are too many PHP applications.
- It is easy to learn and write.
- Poor PHP is also easy to write.
That's simple. PHP has been popular for many years. The more popular PHP is, the more vulnerabilities it discovers. The vulnerabilities discovered by these hackers are rarely discovered by the PHP processing engine itself, usually the weakness of the script itself.
This means that when a PHP application is hacked, most of them are programmer errors. Sorry, but this is a fact.
You can write secure PHP like other web languages. It's time to start exploring security issues.
Protection against PHP hack
Writing secure PHP code is not a secret black art hidden from PHP developers. However, confidence is so scattered that you need to spend weeks or months (or not so long) collecting some discrete directories or rules of good security practices. Only real experience can tell you how important it is.
Fortunately, Ben Edmunds is ready for you. It recently published the Building Secure PHP Apps-a Practical Guide, which is one of the best security-related books I have read and, of course, best covers PHP. This article details why I think every PHP developer should read it.
This book is a concise guide that brings you to the next level as a developer, allowing you to build better and safer scripts.
Introduction
This book soon entered the common sense rule of web development: do not trust your users and filter all input. From a small scenario to a technical method that allows users to access the system. The topics in Chapter 1 are as follows:
- SQL injection
- A large number of value assignment fields
- Type conversion
- Filter input/output
These are some of the things that PHP beginners (and some veterans) have always overlooked. Filtering input is considered an optional step by many people. This chapter is a lot of discussion.
During the reading process, I remembered my first day of work many years ago. at that time, I dug deep into the existing code and found the code for creating scripts for new users:
?
123 |
if ( $_POST [ "isadmin" ] == 1) { // code to set to admin in database } |
When I see this code, I am very scared because it is a very effective script and can be easily handled by a malicious user. I guess it and insert a simple form variable, then, you can access about 5,000 credit card numbers and other personal information.
After digging deep, I found the following code:
?
1 |
$sql = "INSERT INTO database (id,name,...) VALUES (" . $_POST [ "Name" ] . ");" |
I almost got out of that job on the first day because they were relying on these terrible code. The code is there, and you are responsible for the change. you must avoid generating more.
This chapter discusses why such code is a huge risk and how to fix it.
HTTPS and certificate
This is another field. Ben includes scripts, stories, and a little bit of humor. he also clearly explains the concept of HTTPS. He explained it in a way that even your boss could understand.
This book provides a comprehensive description of the certificate's working principles, certificate types, and implementation methods, and even describes how to deploy the certificate on Apache or Nginx.
Password
This book carefully explains passwords, hash, table queries (lookup tables), and salts, which is incredibly helpful for developers to create user logon systems.
This is an area that was extremely lacking even in 2014. I still have access to apps that store plain text passwords or encryption like ROT13 [note 1] to protect their stupid methods. Do not do this to make people use your applications and your reputation.
Passwords and other sensitive data should be very difficult to obtain, and even some people get all the permissions of the database. This book is comprehensive and will provide you with good guidance on designing a better system.
Authentication and access control
This book contains a comprehensive topic. When you build a new PHP application, some of the first considerations are:
- Who can access what resources?
- Who can control access by other users?
This is important to consider applications, especially those that process sensitive data. A considerable part of enterprise development is committed to this. If you do not correctly establish authentication and access control, the most likely cause is that you have troubled users and created more work. What is worse is the server data gap and/or data destruction.
This book well covers the basics and goes deep into work such as controlling access to files or a single page of an application. There are also many sample codes for reference.
Specific exploitation
This book covers some common exploitation to damage the system and explores cross-site scripting in great detail. it can be said that attackers use the most common method of applications. It explains different types of attacks and how to protect yourself.
Good, right? You can buy books at a discount through this link!
Where I like this book most
What I really enjoy when reading this book is how information is presented in a useful way for beginners and experienced programmers. There are a series of concepts proposed, what they are and how they are self-protected. There are a lot of code examples, unlike the "fill code" that some technical books have ".
You can read this book quickly because there is not much content. Beginners can read this book, check each topic, start to read their code, and make corrections. Keep in mind that you need to make continuous modifications to this issue. If you look back, you will be ashamed of the code you wrote six months ago. you are doing the right thing.
More advanced and experienced programmers can use this guide to fill their weaknesses (no matter how long you have been in this industry, you have weaknesses, admit it ), better understanding of the systems they use at work. For example, I have been crazy for so many years to use authentication, but I have never considered it at the level mentioned in this book.
No matter who you are, you will learn something. So don't read this article. buy a copy! There is a discount for using this link !!
Disclaimer
I didn't comment too much on my blog, so you may have some questions. For clarity, I have not paid or compensated for comments. The above discount code is provided to the readers of my blog for less than 4 USD on the basis of the original book price. I will not receive the money. Of course, for the purpose of commenting, I have received a copy of the promotion book.
I personally know this author, which is one of the reasons I believe in the information in this book and fully trust its guidance. Ben Edmunds has a huge influence in the PHP community over the past few years. He has 10 years of PHP experience and is one of the leaders of the PHP user group in the Polish region, over the past few years, PHP has made great contributions to open-source projects. In this case, he knows his things and you can trust the information presented here.
- Address: http://www.jeremymorgan.com/blog/programming/the-book-every-php-dev-should-read/
- Note 1: ROT13 (rotate by 13 places, with a hyphen (ROT-13) is a simple replacement password. Http://zh.wikipedia.org/wiki/ROT13
Ghost PHP has a poor reputation in recent years. There is a lot of discussion about its poor design summary and syntax conflicts, but the main complaints are usually...