cbassett03 Posted July 16, 2012 Share Posted July 16, 2012 Sorry if this is the wrong place to post this.... I'm in the process of working on a new website for a company I work for. I am pretty fluent in PHP, but haven't had any "official" training or education in it (only from me reading books and trial and error). Anyway, are there any good books that are written regarding writing secure PHP code? I have a few beginner books, but they really don't get into too much detail on writing secure code (they mainly focus on the basics with a bit here and there about basic security relating to PHP scripts but that isn't their main focus). My biggest concern is dealing with (and preventing) code injection when working with MySQL. I'm aware of the "html encodes" functions that will encode a character so that it cannot really be used to inject into MySQL (for example), but I want a more concise guide (book) that also covers over areas of writing secure PHP code (I'm sure there many many other security flaws out there that can be avoided if you know about them.) Any suggestions? Again, I'm pretty fluent in PHP so I'd say that I'm an Intermediate PHP programmer (not a beginner, but definately not an advanced PHP programmer either). I guess I'd also take suggestions for online sites that talk about PHP security (I know a google search would yield plenty, but I'm looking for more of a structured sequence that covers all sorts of security pitfalls and how to overcome them--in a logical fashion, rather than me just doing "site hopping." Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 16, 2012 Share Posted July 16, 2012 My biggest concern is dealing with (and preventing) code injection when working with MySQL. I'm aware of the "html encodes" functions that will encode a character so that it cannot really be used to inject into MySQL (for example) I think by "html encodes functions" you are talking about htmlentities or htmlspecialchars, neither of which will prevent SQL injection. To prevent SQL injection, you need to either: escape the data, or use prepared statements. There are a lot of aspects to secure code. You can go a long ways by following a few best practices (like what I mentioned above regarding SQL injection, always sanitizing user input, etc) and by leaving things that are controversial to people that are qualified to make the hard decisions (like user authentication, password storage, encryption, XSS filtering). Quote Link to comment Share on other sites More sharing options...
carugala Posted July 16, 2012 Share Posted July 16, 2012 I know a google search would yield plenty ok, what do you need the book for? seems more of a pita to get a book, when the info is at your googletips. Define 'secure code'? Quote Link to comment Share on other sites More sharing options...
scootstah Posted July 16, 2012 Share Posted July 16, 2012 I know a google search would yield plenty ok, what do you need the book for? seems more of a pita to get a book, when the info is at your googletips. Some people trust a book more than the ramblings of random blogs. Quote Link to comment Share on other sites More sharing options...
ignace Posted July 16, 2012 Share Posted July 16, 2012 Some people trust a book more than the ramblings of random blogs. +1 unless the blog is by some respected author (which are then mostly excerpts from their book..). As book would I recommend Pro PHP Security. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.