This article mainly introduces the recommendation of a book that should be read by PHP programmers. For more information, see
This article mainly introduces the recommendation of a book that should be read by PHP programmers. For more information, see
PHP has a poor reputation in recent years. There is a lot of discussion about its "bad design summary" and syntax conflicts, but the main complaints are usually security. Many PHP sites are hacked in minutes. Some experienced and knowledgeable programmers may say that the language is not safe.
I always disagree with this, because of the common sense, there are so many PHP security violations.
PHP applications are often hacked because:
There are too many PHP applications.
It is easy to learn and write.
Poor PHP is also easy to write.
That's simple. PHP has been popular for many years. The more popular PHP is, the more vulnerabilities it discovers. The vulnerabilities discovered by these hackers are rarely discovered by the PHP Processing Engine itself, usually the weakness of the script itself.
This means that when a PHP application is hacked, most of them are programmer errors. Sorry, but this is a fact.
You can write secure PHP like other web languages. It's time to start exploring security issues.
Protection against PHP hack
Writing secure PHP code is not a secret black art hidden from PHP developers. However, confidence is so scattered that you need to spend weeks or months (or not so long) collecting some discrete directories or rules of good security practices. Only real experience can tell you how important it is.
Fortunately, Ben Edmunds is ready for you. It recently published the Building Secure PHP Apps-a Practical Guide, which is one of the best security-related books I have read and, of course, best covers PHP. This article details why I think every PHP developer should read it.
This book is a concise guide that brings you to the next level as a developer, allowing you to build better and safer scripts.
Introduction
This book soon entered the common sense rule of web development: do not trust your users and filter all input. From a small scenario to a technical method that allows users to access the system. The topics in Chapter 1 are as follows:
SQL Injection
A large number of value assignment Fields
Type conversion
Filter input/output
These are some of the things that PHP beginners (and some veterans) have always overlooked. Filtering input is considered an optional step by many people. This chapter is a lot of discussion.
During the reading process, I remembered my first day of work many years ago. At that time, I dug deep into the existing code and found the code for creating scripts for new users:
The Code is as follows:
If ($ _ POST ["isadmin"] = 1 ){
// Code to set to admin in database
}
When I see this code, I am very scared because it is a very effective script and can be easily handled by a malicious user. I guess it and insert a simple form variable, then, you can access about 5,000 credit card numbers and other personal information.
After digging deep, I found the following code:
The Code is as follows:
$ SQL = "INSERT INTO database (id, name,...) VALUES (". $ _ POST ["Name"]. ");"
I almost got out of that job on the first day because they were relying on these terrible code. The code is there, and you are responsible for the change. You must avoid generating more.
This chapter discusses why such code is a huge risk and how to fix it.
HTTPS and Certificate
This is another field. Ben includes scripts, stories, and a little bit of humor. He also clearly explains the concept of HTTPS. He explained it in a way that even your boss could understand.
This book provides a comprehensive description of the certificate's working principles, certificate types, and implementation methods, and even describes how to deploy the certificate on Apache or Nginx.
Password
This book carefully explains passwords, hash, table queries (lookup tables), and salts, which is incredibly helpful for developers to create user logon systems.
This is an area that was extremely lacking even in 2014. I still have access to apps that store plain text passwords or encryption like ROT13 [NOTE 1] to protect their stupid methods. Do not do this to make people use your applications and your reputation.
Passwords and other sensitive data should be very difficult to obtain, and even some people get all the permissions of the database. This book is comprehensive and will provide you with good guidance on designing a better system.
Authentication and Access Control
This book contains a comprehensive topic. When you build a new PHP application, some of the first considerations are:
Who can access what resources?
Who can control access by other users?
This is important to consider applications, especially those that process sensitive data. A considerable part of enterprise development is committed to this. If you do not correctly establish authentication and access control, the most likely cause is that you have troubled users and created more work. What is worse is the server data gap and/or data destruction.
This book well covers the basics and goes deep into work such as controlling access to files or a single page of an application. There are also many sample codes for reference.
Specific Exploitation
This book covers some common exploitation to damage the system and explores Cross-Site Scripting in great detail. It can be said that attackers use the most common method of applications. It explains different types of attacks and how to protect yourself.
Good, right? You can buy books at a discount through this link!
Where I like this book most
What I really enjoy when reading this book is how information is presented in a useful way for beginners and experienced programmers. There are a series of concepts proposed, what they are and how they are self-protected. There are a lot of code examples, unlike the "fill code" that some technical books have ".
You can read this book quickly because there is not much content. Beginners can read this book, check each topic, start to read their code, and make corrections. Keep in mind that you need to make continuous modifications to this issue. If you look back, you will be ashamed of the code you wrote six months ago. You are doing the right thing.
More advanced and experienced programmers can use this guide to fill their weaknesses (no matter how long you have been in this industry, you have weaknesses, admit it ), better understanding of the systems they use at work. For example, I have been crazy for so many years to use authentication, but I have never considered it at the level mentioned in this book.
No matter who you are, you will learn something. So don't read this article. Buy a copy! There is a discount for using this link !!