APress - Pro PHP Security (2005).pdf - PHP - adszy1

Pro PHP Security

■■■

Chris Snyder and Michael Southwell

Pro PHP Security

electronic or mechanical, including photocopying, recording, or by any information storage or retrieval

system, without the prior written permission of the copyright owner and the publisher.

ISBN (pbk): 1-59059-508-4

Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1

Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence

of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark

owner, with no intention of infringement of the trademark.

Lead Editor: Jason Gilmore

Technical Reviewer: Timothy Boronczyk

Editorial Board: Steve Anglin, Dan Appleman, Ewan Buckingham, Gary Cornell, Tony Davis, Jason Gilmore,

Jonathan Hassell, Chris Mills, Dominic Shakeshaft, Jim Sumser

Associate Publisher: Grace Wong

Project Manager: Beth Christmas

Copy Edit Manager: Nicole LeClerc

Copy Editor: Ami Knox

Assistant Production Director: Kari Brooks-Copony

Production Editor: Katie Stence

Compositors: Susan Glinert and Pat Christenson

Proofreader: April Eddy

Indexer: Michael Brinkman

Artist: Wordstop Technologies Pvt. Ltd., Chennai

Interior Designer: Van Winkle Design Group

Cover Designer: Kurt Krames

Manufacturing Director: Tom Debolski

Distributed to the book trade worldwide by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor,

New York, NY 10013. Phone 1-800-SPRINGER, fax 201-348-4505, e-mail

, or

For information on translations, please contact Apress directly at 2560 Ninth Street, Suite 219, Berkeley, CA

94710. Phone 510-549-5930, fax 510-549-5939, e-mail

The information in this book is distributed on an “as is” basis, without warranty. Although every precaution

has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to

any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly

by the information contained in this work.

The source code for this book is available to readers at

, or visit

in the Downloads section.

visit

Contents at a Glance

About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii

About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

PART 1

■ ■ ■

The Importance of Security

CHAPTER 1

Why Is Secure Programming a Concern? . . . . . . . . . . . . . . . . . . . . . . . 3

PART 2

■ ■ ■

Maintaining a Secure Environment

CHAPTER 2

Dealing with Shared Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

CHAPTER 3

Maintaining Separate Development and Production

Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

CHAPTER 4

Keeping Software Up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

CHAPTER 5

Using Encryption I: Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

CHAPTER 6

Using Encryption II: Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

CHAPTER 7

Securing Network Connections I: SSL . . . . . . . . . . . . . . . . . . . . . . . . 109

CHAPTER 8

Securing Network Connections II: SSH . . . . . . . . . . . . . . . . . . . . . . . 139

CHAPTER 9

Controlling Access I: Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 175

CHAPTER 10

Controlling Access II: Permissions and Restrictions . . . . . . . . . . . 209

PART 3

■ ■ ■

Practicing Secure PHP Programming

CHAPTER 11

Validating User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

CHAPTER 12

Preventing SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

CHAPTER 13

Preventing Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263

CHAPTER 14

Preventing Remote Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

CHAPTER 15

Enforcing Security for Temporary Files . . . . . . . . . . . . . . . . . . . . . . . 303

CHAPTER 16

Preventing Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

iii

■ CONTENTS AT A GLANCE

PART 4

■ ■ ■

Practicing Secure Operations

CHAPTER 17

Allowing Only Human Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

CHAPTER 18

Verifying Your Users’ Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

CHAPTER 19

Using Roles to Authorize Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359

CHAPTER 20

Adding Accountability to Track Your Users . . . . . . . . . . . . . . . . . . . . 377

CHAPTER 21

Preventing Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399

CHAPTER 22

Safely Executing System Commands . . . . . . . . . . . . . . . . . . . . . . . . . 419

CHAPTER 23

Handling Remote Procedure Calls Safely . . . . . . . . . . . . . . . . . . . . . 455

CHAPTER 24

Taking Advantage of Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

APress - Pro PHP Security (2005).pdf

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: