May 5, 2014April 12, 2016 by Maks Surguy

Book review – Building Secure PHP Apps by Ben Edmunds

The following post is my personal review of a new e-Book by PHP Town Hall co-host Ben Edmunds being released today on Leanpub. I’ve had the honor of getting a copy of the book before it is officially released and have read it all in order to have a more or less complete review.

Short description and a sample chapter

Security of web applications should be a top priority for any developer. Ben’s book, “Building Secure PHP Apps, a practical guide” has a goal to educate PHP developers of all levels of expertise about potential security problems and show practical solutions to those problems. The problems discussed in the book are real threats to many web applications built with PHP and ignoring them will sooner or later result in loss or corruption of data, leakage of private information or the application being completely wiped out/defaced.

You can read a sample chapter of the book at https://leanpub.com/buildingsecurephpapps/read

Get the book here: https://leanpub.com/buildingsecurephpapps

Progression in the book

The book is five chapters long. Full of fun stories, some are real and some that are not, the book starts out with a chapter on basic security considerations such as :

Preventing SQL injections
Handling mass assignment
Typecasting for enforcing strict data types
Sanitizing input

After covering these problems the author picks up the steam and dives into deeper topics. Chapter 2 focuses on the answers to questions surrounding SSL and its use in PHP web applications. What is SSL/HTTPS? When should you use HTTPS? How to create SSL certificates and where to get them? How does enabling SSL affect delivery of assets (scripts/stylesheets)? These and more questions are answered in good detail and a practical example is given for each of the answers.

Chapter three introduces you to security considerations for storing passwords. Every developer should know by now that storing passwords in plain text is disastrous (and should be made illegal). In this chapter of the book the author goes in depth about typical encryption mechanisms and secure storage of such sensitive user information as passwords. The chapter starts out by explaining the most popular attack schemes that could help a hacker decrypt user passwords when the user information is leaked. Then the author describes a few ways of encrypting passwords to prevent these attacks. Hashing and salting of passwords are discussed in great detail with over a dozen of practical PHP code examples for you to follow along. Finally, the author describes possible ways of upgrading legacy systems to one of the more secure mechanisms described in the chapter.

Next, chapter four of the book covers the aspects of authentication, access control, and secure file handing. The author explains how to authenticate the user and how to save that authenticated state for further requests. When the user is authenticated, your application would check for various permissions that the user has on a particular set of features (Access Control). The author shows a small example of applying a function that serves as a “filter” to prevent unauthorized access to features of the application that the user should not be able to access. After that, a great concept of “Security through obscurity” is covered in good detail. The author gives examples of obfuscating IDs of objects(users/products/etc.) by using HashIDs library and this is the technique I personally use on many of my sites and would recommend using. Finally, the author explains how to store files securely, without exposing private documents to the web but instead serve them from a folder hidden from public access.

In the final chapter of the book, the author explores the topic of safe defaults and explains about some more known attacks such as cross site scripting attacks and cross site request forgery. Using pessimistic default values for variables is important when it comes to security and the author does a great job explaining what that means in dynamically typed language like PHP and why it matters to use safe defaults. Then, the author explains about a common way to inject malicious data in a web application – cross site scripting (XSS), and how to protect against it. Among other topics, chapter 5 touches on the problem of Cross site request forgery (CSRF) and provides detailed solutions along with the code and algorithms. Finally, some of the best practices are discussed to give the reader a well-rounded view on the topics of application security.

Explaining common attacks and methods of preventing these attacks, the book provides a great way for developers to be aware of various attack vectors and introduces you to the solutions to these important problems. I feel like Ben did a great job giving introductions to these security issues and has explained the problems along with their solutions very well. The book gave me quite a few new insights and made me aware of potential weaknesses in my own applications.

Interested? Join over 150 other readers and get the book here: