FlashApe

Just finished reading the book Essential PHP Security, the O’Relly book by Chris Shiflett. It’s short, only about 100 pages or so, but it hits the mark really well.
Often with web apps you will hear the terms “sql injection”, “cross-site scripting(XSS)”, “spoofing”, “session hijacking” and a bunch of other stuff that doesn’t sound so good. The other of this book doens’t just talk abou them, he offers examples of how these area done, in the hopes of showing the readers how simple these attacks are to pull off, and how easy it is to offer up some defenses against these kinds of attacks.
The main defenses the author pounds into your head when reading this book is to “filter input”, and “escape output”:
� filter input - All data coming in to your app from a remote source (a web form, a database, even session data) should be considered tainted. In his book, the author creates a new array and holds all filtered data in the array, and uses that in his scripts instead of any raw data being sent in.
� escape output - using functions such as htmlentities() and mysql_real_escape_string() to escape any characters that a browser may interpret as html. Example: someone could add a javascript directly into a comment box in someones blog that does soemthing nasty. If that script is not escaped when the the comment is dispalyed on the page, it will run as html and cause some damage.
There are other points he makes about “defense in depth”, which is basically redunt checking of data in a php script, not using register globals etc. and shows you many poins in a web app that have a potential for huge security risks.
For me, the book shed a huge light on a subject that is often talked about, but most of the time not really understood, and often delibrately and completely ignored. Now if you’ll excuse me, I’ve got some glaring security holes to fix.