Essential PHP Security
By Chris Shiflett
O'Reilly
Review by Roger Walker

        I am not a PHP programmer, but I figured the book would be useful
for me as an administrator, for security reasons. After having a server
hacked due to a client running an unvetted downloaded PHP script, I've
been a bit paranoid on giving anyone else PHP access. However, after
finding various PHP security information over the Internet, I've loosened
such capability slightly on an "as required" basis. This book, however,
has shown me that there are still a few areas that I need to pay attention
to.

        The book is relatively short (about 100 pages) but very concise.
The author starts with a quick review of PHP features, and security
principles and practices as they apply to PHP. The chapters are organized
around various categories of PHP that need attention, such as Forms/Urls,
Databases, Sessions/Cookies, the php.ini file, and many more. One thing I
would suggest has been omitted, but maybe shouldn't have been, is how to
set up php.ini configurations in webserver configurations (i.e. vhosts
files), to localize them.

        The book is undoubtedly intended for PHP programmers. At this
time, I have no intentions of taking up the sport. However, as a site
administrator, I find the book very useful for the security of the site as
a whole, and allows me to constrain those who might endanger the site, and
otherwise to vet clients' code. Though the book contains more information
than I had found before, since I'm not very familiar with PHP, I can't
judge how complete the information is. Recommended.