As a very security conscious developer, I found this book to be a GREAT resource to my library. Though the book is short in length, it is very rich in content. Chris does a GREAT job of presenting the problem (citing specific examples of the exploits), showing the pitfalls, and then presenting the solutions.

He is very thorough in his descriptions, and his easy to understand writing and use of analogies made this a very simple concept to grasp. If you are a seasoned PHP developer, or just beginning programming PHP - his writing style helps you to understand the underlying attack, visuals to see it in action, and how to prevent being attacked - it is very simple, yet deep.

Reading this book has helped me to see where my applications may fall short, and what I can do to protect them. Especially in the realm of PHP developers, there are MANY Open Source options out there, and many of them lack the security that is mentioned in the chapters of this book. Don't let yourself get caught!

I recommend this book, and performing an audit of your own work. Excellent book!

This handy book fecth most recent popular attacks, and roughly coveres most general attacking means and how to secure your website.I like author's princle about how to filter tainted input and his code snippets are short and understandable.But this book comes with quite much minor errors; chapters seem little bit repetitive and redundant and most codes are not talked in depth.If you were a php newbie, and wish to know more php security related features or you want a short, handy cookbook which provides a quick reference, you should pick up this book.

Provides a good practical overview of common website attacks and how to handle them. Each type of attack is explained before showing the defence. By understanding how the attacks work you are less likely to implement the defences incorrectly. This book helped me understand the important security issues when developing websites in php, however much of the information is applicable in any web development language.

The book is only around 100 pages, but if you consider the title of the book then this is fine. You won't find information about securing a web server for example, but that is not what this book is for.

The only specific attack missing which I would like to have seen information about is email spamming through website forms. However the general principles described in the book will help prevent these attacks as well.

I highly recommend this book to any PHP developer who is looking for a concise guide on how to secure their websites.

I found this book very helpful. The language is easy to understand and the examples are clear and concise. The mantra 'filter input, escape output' is repeated throughout the book but is accompanied by examples of attacks and preventions. I found that repetition helpful. It is much easier to take the advice and apply it to my own needs than having a book with a finite list of applications and their possible holes.

As far as technical books go, I liked this one. It really does get right to the point, and doesn't waste any time. But I do want to warn potential buyers that the book doesn't contain anything new to those who've been around the block a couple times. I'd say this book would only be informative to novice PHP programmers.

I've been programming with PHP for a few years now, and even when I read a book aimed at novices I usually learn something, or I'm at least reminded of some issues that I hadn't thought about in a while. I can't say the same about this book. I read it front to back within an hour, and didn't learn anything new, nor will it provide any kind of reference for future projects.

Overall I was disappointed, but that isn't necessarily the author's fault. I was just expecting something more in-depth.

This long awaited work from who many refer to as the guru of PHP security is finally out.

I must say though, when it arrived in the mail, I was a bit surprised by the package. Rather than the typical book box you get, it was in a padded envelope and upon opening the package I saw that the book was a mere 109 pages (with appendices starting on page 87).

As I began to read the book, I started to realize some of the reasons for the small size. Chris stays completely on topic with PHP security and doesn't meander into subjects such as Linux server administration and security, which other (larger) texts do to quite a large extent. I acually went to another PHP security text I had recenty read, and if I took out the sysadmin sections, it left about the same amount of pages as Chris's book. Also Chris's approach to PHP security seems to be a very 'keep it simple one'. He doesn't get into elaborate security frameworks and application layers. He simply defines a PHP security issue, and provides a strait forward and simple solution for the problem. I agree with this approach since over engineering a solution, breeds complexity and complexity can easily mask, you guessed it, "security issues".

I would say what I liked most about this book is that he brought to light the security concerns when running on a shared host. I think this topic if very often neglected on the majority of PHP security articles and texts even though many of us use shared hosting due to how cheep it is. Chris devotes an entire chapter to the situation and clearly explains the vast security risks that come with shared hosting and gives examples of how to mitigate the risks.

I would actually recommend this book to just about any PHP programmer for the simple fact that it is a great catalog of PHP security risks to date and offers simple solutions to counter those risks. Since it is a quick read it is an excellent way to quickly see if you have your bases covered when it come to security of your PHP app. Some of the examples are a bit brief, but the fact that you have read Chris's book and been alerted to the security issue is the real value in the end. You can always go to http://phpsec.org/ or other sites for expanded examples.

"Knowing is half the battle"
GI Joe

This 120 page book could be condensed into one chapter. Most of the examples are just applying the same filter and escape your data to different function.
This book should be read by new programmers. If you have been programming for any decent amount of time, you should already know everything in here.

This is the first technical book that I have read that doesn't obscure the topic with trivial details or complicated sentence structures with phrasing that is hard to follow. The thing I like best about the book is that it introduces a technique in detail and uses it throughout the book. Because every chapter refers back to the original "filter input, escape output" theme coupled with defense in depth, it forces the user to concentrate on a single, simple method and apply it to many different situations.

The example code segments in the book illustrate specific points described in the copy very well. Keeping the code examples simple only strengthens its meaning since the reader is not forced to analyze the code. Additional comments in the examples may be helpful for inexperienced developers.

In addition providing insight on filtering input and escaping output, Chris also gives the reader insight to a very helpful way of dealing with the filtered/escaped data within the code. This method is illustrated in all the examples, and as the reader notices it used throught the book they can learn its usefulness by example.

You would think that with all of the books being published recently about PHP that everyone and his mother is writing PHP code. This may be true, but even if it is not, it is certain that many people and businesses are using PHP code, in concert with other applications like MySQL, to produce dynamic web sites. This is all well and good because PHP is a high-quality coding language especially well-suited to web applications. It is also open-source, meaning well-supported by a community of coders and developers and cost-free. The one problem is that, like all coding languages, poorly designed or written PHP applications can be security risks potentially allowing Internet miscreants to cause damage to web servers, hosts, and users. It appears to be the case that there are many, many instances of insecure PHP code in use, hence, the value in a targeted book on PHP security, like "Essential PHP Security", by Chris Shiflett.

The author is an internationally-known and accomplished expert on PHP security. He is the founder of the PHP Security Consortium, a group of volunteers who help educate the PHP community, and a well-known contributor to the PHP-general mail digest. The book is designed to provide security information and guidelines and explain the most common types of attacks and how to prevent or repel them.

"Essential PHP Security" is a slight volume of only 109 pages, including index. Shiflett wastes no time and immediately jumps into his topic, starting with his opinion on the use of the PHP concept of "register globals", a configuration setting which he recommends against using in favor of "superglobal arrays". He next turns to how to configure your web server setup to properly deal with error reporting, both for the developer's use and to prevent providing clues to any interloper trying to illegally access your site.

The balance of Chapter 1 itemizes general principles of Internet security: Defense in Depth - redundantly using more than one technique to secure your site; Least Privileges - writing code to minimize access to the least needed for any particular user's needs; Simple is Beautiful - the writing of clear, simple code, to make troubleshooting and auditing easier; and Minimize Exposure - taking steps to design and implement programs to eliminate or at least minimize display of sensitive data or code - don't even store credit card information unless absolutely necessary, he suggests.

Next, comes "Best Practices" - balancing risk vs. usability, keeping track of data, filtering of all input, escaping output, and in all cases, distinguishing between filtered and tainted data. These principles and practices are illustrated with short code snippets comparing insecure vs. more secure code.

The next seven chapters deal with specific elements of a website, the types of attacks that can occur with each, and tips and suggestions on how to deal with these attacks. These elements include vulnerabilities in forms and URLs, databases and SQL, sessions and cookies, PHP "include" files, files and commands, authentication and authorization, and shared hosting.

The author credibly describes by examples the types of attacks against forms and URLs - cross-site scripting, cross site request forgeries, spoofing of forms, and insecure Raw HTTP requests. Authentication attacks include dictionary attacks, password sniffing, replay attacks, and cookie stealing. For each, he briefly describes how the attacks work, shows examples of insecure code, and provides examples of secure code.

For each of the elements dealt with, the author follows the same model: describe briefly the types of attacks against each element, show conventionally-used insecure code, and show how to eliminate the insecure parts of the code. Most of the security defenses entail filtering data from outside sources, especially form input, email, and XML documents from other web applications. Other defense techniques include using SSL for encrypted data transmissions, strengthening identification methods, hard-coding file paths, and using token techniques in addition to PHP encryption functions. Interestingly, Schiflett believes it is impossible to achieve a high level of security in a shared hosting situation. He provides suggestions on what security measures will help the most.

What is most useful about this book is the aggregation in one place of descriptions of all of these security attacks, and vulnerabilities in PHP code, along with suggestions on dealing with them. The organization of the material is good, however. I believe the author falls short in his code examples. There appears to be a disconnect between the descriptive text (which is clear enough) and the examples, which are not, at least to me, a novice in PHP. I could not readily follow the detailed code segments, although I could understand in principle what was going on.

Some of the code segments were barely explained and some were inadequately explained. The concepts of the attacking techniques were understandable, but the detailed implementations were not. There are a small handful of illustrations, but I found them too simplistic and inadequate. To be fair, this may be a failure of the reviewer. More experienced PHP folks may not complain about the presentations. For them, this book gives them what they need to know about handling the security aspects of their applications, but my guess is that it is the less accomplished coders who need the most help (although those same people are probably writing the types of applications and sites least likely to be targeted by miscreants.)

There are three short appendices presenting suggestions on how to configure a PHP installation to minimize weaknesses, suggestions about avoiding certain powerful PHP functions, especially system commands, to minimize risk, and a short segment on cryptography features in PHP.

This book helped me identify and report a critical security vulnerability in a commercial third party PHP application we were planning to deploy in a business-critical fashion. For that alone, it was worth its weight in gold.

This books is the antidoe to the common misperception that PHP applications fall short on security. With sparkling clarity, Chris demystifies dozens of attacks and provides both solid theoretical and practical bases for coding securely in PHP. Throughout his work as a PHP security consultant, and culminating in this book, Chris has defined the lexicon for web security -- telling us precisely what it means to filter input, and precisely what it means to escape output -- as well as when, how and why. This is nothing short of a defining work on web application security as it applies specifically to PHP.

While this book does not cover using encoders (like the Zend Encoder or IonCube Encoder) to heighten security in a plain-text scripting language, every other topic you would expect to be covered is treated -- above all -- with accuracy, and all in just over a hundred pages. Where other authors might potificte to fill pages, Chris crafted this book to live up to its title -- it is indeed essential, distilled, and precise. Therefore there is little excuse from this point on to not have read it at least once, and thumb through it from time to time when developing or auditing a PHP application. I intend to make it required reading in my department, and recommend it highly to colleagues in other companies developing web applications in PHP.