About five months ago, during yet another flood of phpBB2 exploits Marco Tabini approached me with an idea of writing a security book for PHP. The idea was to provide a guide for people who want to make their applications safer as well as help them understand the possible consequences of various exploits. I thought the idea was quite appealing, a feeling a bit confident after a fairly extensive article authorship decided to take up the task.
And so, for the next several months I was focused on effectively doing a brain dump of my knowledge on security. The process was extremely educational, since to explain any concept a far greater knowledge then the one needed to simply apply a fix is required, plus writing a book as I have learned is just a tad

more complex then an article. But with the help of Marco, my technical reviewer and Martin Streicher who has done a tremendous job at cleaning up my ranting, I think we've got an excellent PHP security resource. The book itself is 201 pages, a bit longer then anticipated, but gave me the opportunity to cover each topic in a fair amount of detail.
Table of Contents- Input validation
- Cross-site Scripting Prevention
- SQL Injections
- Code Injections
- Command Injections
- Session Security
- Securing File Access
- Security Through Obscurity
- Sandboxes and Tar Pits
- Securing Your Applications
The goal of the book is to introduce each type of vulnerability and to explain in greatest amount of detail possible what can lead to it and what are the possible consequences. In my opinion before solving any problem you should have a full understanding of it, so that the fix ends up addressing the cause and not the symptoms. As far as consequences go, it is imperative to know why a problem needs to be fixed and not allowed to linger. If youve ever came across a situation where someone dismissed cross site scripting (XSS) or other security problem as a non-issue, this book will serve as an excellent resource in demonstrating how even the most "trivial" exploits can be abused to great effect. Not to leave you handing so to speak, the book also spends a fair amount of time talking about possible solutions to each problem and provides deployable solutions for each one. In addition to talking about specific security issues, it is my sincere hope that it will encourage developers to think about security when designing and auditing their applications and ultimately lead to a better and a far more secure code.
At the present time the book is available via
phparch.com website in both paper and electronic forms, and will shortly (within 1-2 weeks) appear on Amazon and Barnes & Noble, ISBN: 0-9738621-0-6. I should mention that the 1st 300 copies sold will be signed, so if you want my doodling

on your copy, hurry up and buy it.
Ilia Alshanetsky’s book php|architect’s Guide to PHP Security has just been released and I ordered my copy this morning (hopefully early enough to have Ilia’s signature on the inside cover!). As with the other php|architect publicat...
Tracked: Sep 06, 17:08
Ilia has written a php|architect's Guide to PHP Security and has announced that it has been sent for publishing. For those who don't know, Ilia is one of the leading PHP security experts in the PHP community....
Tracked: Sep 07, 13:24
相信使用PHP开发的人员一定不会对SQLite感到陌生了,PHP5已经集成了这个轻量型的数据库。SQLite无任何限制的授权协议以及支持大部分标准的SQL 92语句,相信会有越来越多的人使用这个数据库。作为WEB开发而言,PHP与SQLite的结合就如同当年的ASP与ACCESS结合一样,ACCESS可以遭遇被人下载,SQLite同样不能幸免,毕竟SQLite也是一个二进制文件,只要WEB能访问到的,就能被下载。
Tracked: Sep 12, 07:47