Essential PHP Security

I recently finished reading Essential PHP Security by Chris Shiflett (O’Reilly). It was a good, quick read, and for me it was mostly a review of principles I had previously read on Chris’s blog. The main principles are filter input and escape output. Using separate arrays for each kind of data is a best practice:

// filter input and assign it to the "$clean" array
if (ctype_alnum($_POST['name']))
$clean['name'] = $_POST['name'];

// escape HTML output with htmlentities()
$html['name'] = htmlentities($clean['name'], ENT_QUOTES);
echo "You entered the name $html[name].";

// escape MySQL output with mysql_real_escape_string()
$mysql['name'] = mysql_real_escape_string($clean['name']);
mysql_query("INSERT INTO table (name) VALUES ('$mysql[name]')");

After reading the book I was only left with one question: is HTTP Authentication over SSL fairly secure? (I assumed it would be.) I emailed Chris with my question and he responded quickly in the affirmative. Thanks, Chris.

1 thought on “Essential PHP Security”

  1. I, too, read this book and enjoyed it. It was a very small and quick read, but packed with useful information and tools.

    The examples in the book were close to ‘real-life’ examples, in that it showed you methods of how to protect yourself from specific attacks (such as XSS, CSRF, etc).

    I think, overall, alot of the security comes with the configuration of PHP and the server itself.

Comments are closed.