Essential PHP Security

I recently finished reading Essential PHP Security by Chris Shiflett (O’Reilly). It was a good, quick read, and for me it was mostly a review of principles I had previously read on Chris’s blog. The main principles are filter input and escape output. Using separate arrays for each kind of data is a best practice:


// filter input and assign it to the "$clean" array
if (ctype_alnum($_POST['name']))
$clean['name'] = $_POST['name'];

// escape HTML output with htmlentities()
$html['name'] = htmlentities($clean['name'], ENT_QUOTES);
echo "You entered the name $html[name].";

// escape MySQL output with mysql_real_escape_string()
$mysql['name'] = mysql_real_escape_string($clean['name']);
mysql_query("INSERT INTO table (name) VALUES ('$mysql[name]')");

After reading the book I was only left with one question: is HTTP Authentication over SSL fairly secure? (I assumed it would be.) I emailed Chris with my question and he responded quickly in the affirmative. Thanks, Chris.

One reply on “Essential PHP Security”

  1. I, too, read this book and enjoyed it. It was a very small and quick read, but packed with useful information and tools.

    The examples in the book were close to ‘real-life’ examples, in that it showed you methods of how to protect yourself from specific attacks (such as XSS, CSRF, etc).

    I think, overall, alot of the security comes with the configuration of PHP and the server itself.

Comments are closed.