Snyder - Pro PHP Security (Apress, 2005).pdf

(13586 KB) Pobierz
30527674 UNPDF
30527674.003.png
Pro PHP Security
■■■
Chris Snyder and Michael Southwell
30527674.004.png 30527674.005.png
Pro PHP Security
Copyright © 2005 by Chris Snyder and Michael Southwell
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
ISBN (pbk): 1-59059-508-4
Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1
Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence
of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark
owner, with no intention of infringement of the trademark.
Lead Editor: Jason Gilmore
Technical Reviewer: Timothy Boronczyk
Editorial Board: Steve Anglin, Dan Appleman, Ewan Buckingham, Gary Cornell, Tony Davis, Jason Gilmore,
Jonathan Hassell, Chris Mills, Dominic Shakeshaft, Jim Sumser
Associate Publisher: Grace Wong
Project Manager: Beth Christmas
Copy Edit Manager: Nicole LeClerc
Copy Editor: Ami Knox
Assistant Production Director: Kari Brooks-Copony
Production Editor: Katie Stence
Compositors: Susan Glinert and Pat Christenson
Proofreader: April Eddy
Indexer: Michael Brinkman
Artist: Wordstop Technologies Pvt. Ltd., Chennai
Interior Designer: Van Winkle Design Group
Cover Designer: Kurt Krames
Manufacturing Director: Tom Debolski
Distributed to the book trade worldwide by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor,
New York, NY 10013. Phone 1-800-SPRINGER, fax 201-348-4505, e-mail
, or
.
For information on translations, please contact Apress directly at 2560 Ninth Street, Suite 219, Berkeley, CA
94710. Phone 510-549-5930, fax 510-549-5939, e-mail
.
The information in this book is distributed on an “as is” basis, without warranty. Although every precaution
has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to
any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly
by the information contained in this work.
The source code for this book is available to readers at
, or visit
in the Downloads section.
visit
30527674.006.png
Contents at a Glance
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii
PART 1
■ ■ ■
The Importance of Security
CHAPTER 1
Why Is Secure Programming a Concern? . . . . . . . . . . . . . . . . . . . . . . . 3
PART 2
■ ■ ■
Maintaining a Secure Environment
CHAPTER 2
Dealing with Shared Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
CHAPTER 3
Maintaining Separate Development and Production
Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
CHAPTER 4
Keeping Software Up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
CHAPTER 5
Using Encryption I: Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
CHAPTER 6
Using Encryption II: Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
CHAPTER 7
Securing Network Connections I: SSL . . . . . . . . . . . . . . . . . . . . . . . . 109
CHAPTER 8
Securing Network Connections II: SSH . . . . . . . . . . . . . . . . . . . . . . . 139
CHAPTER 9
Controlling Access I: Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 175
CHAPTER 10
Controlling Access II: Permissions and Restrictions . . . . . . . . . . . 209
PART 3
■ ■ ■
Practicing Secure PHP Programming
CHAPTER 11
Validating User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
CHAPTER 12
Preventing SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
CHAPTER 13
Preventing Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
CHAPTER 14
Preventing Remote Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
CHAPTER 15
Enforcing Security for Temporary Files . . . . . . . . . . . . . . . . . . . . . . . 303
CHAPTER 16
Preventing Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
iii
30527674.001.png
iv
CONTENTS AT A GLANCE
PART 4
■ ■ ■
Practicing Secure Operations
CHAPTER 17
Allowing Only Human Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
CHAPTER 18
Verifying Your Users’ Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
CHAPTER 19
Using Roles to Authorize Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
CHAPTER 20
Adding Accountability to Track Your Users . . . . . . . . . . . . . . . . . . . . 377
CHAPTER 21
Preventing Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
CHAPTER 22
Safely Executing System Commands . . . . . . . . . . . . . . . . . . . . . . . . . 419
CHAPTER 23
Handling Remote Procedure Calls Safely . . . . . . . . . . . . . . . . . . . . . 455
CHAPTER 24
Taking Advantage of Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
30527674.002.png
Zgłoś jeśli naruszono regulamin