« CSS Best Practices
PHP 5 and Beyond »

Essential PHP Security

I recently finished reading Essential PHP Security by Chris Shiflett (O’Reilly). It was a good, quick read, and for me it was mostly a review of principles I had previously read on Chris’s blog. The main principles are filter input and escape output. Using separate arrays for each kind of data is a best practice:


// filter input and assign it to the "$clean" array
if (ctype_alnum($_POST['name']))
$clean['name'] = $_POST['name'];

// escape HTML output with htmlentities()
$html['name'] = htmlentities($clean['name'], ENT_QUOTES);
echo "You entered the name $html[name].";

// escape MySQL output with mysql_real_escape_string()
$mysql['name'] = mysql_real_escape_string($clean['name']);
mysql_query("INSERT INTO table (name) VALUES ('$mysql[name]')");

After reading the book I was only left with one question: is HTTP Authentication over SSL fairly secure? (I assumed it would be.) I emailed Chris with my question and he responded quickly in the affirmative. Thanks, Chris.

If you want to be notified the next time I write something, sign up for email alerts or subscribe to the RSS feed. Thanks for reading.

This entry was posted on Wednesday, August 16th, 2006 at 10:38 pm and is filed under Main, MySQL, PHP. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response to “Essential PHP Security”

  1. Nate K Says:
    August 17th, 2006 at 7:16 am
    I, too, read this book and enjoyed it. It was a very small and quick read, but packed with useful information and tools.

    The examples in the book were close to ‘real-life’ examples, in that it showed you methods of how to protect yourself from specific attacks (such as XSS, CSRF, etc).

    I think, overall, alot of the security comes with the configuration of PHP and the server itself.

Leave a Reply