Foreword
Security is the freedom from risk or danger.
The need for safety is fundamental to human nature and applies to most of our lives, including our time at home and at work. An unfortunate side effect of rapidly growing Internet use is that the safety of both our personal and professional lives is at risk. Internet usage includes individuals posting personal information to online stores, businesses doing millions of dollars in transactions over the Web, and networks of web services enabling business-to-business transactions.
The more the world becomes connected, the more security is an issue. There is no doubt that the most critical pieces in the Internet security puzzle are the actual web servers themselves, which interact directly with the masses of Internet users, exchange data, perform financial transactions, and more. For PHP, the most popular web development language, security is crucial. Recently, there have been numerous security alerts around PHP. But, in fact, the majority of them are not a result of flaws in PHP itself, but are due to improper and insecure uses of PHP by application developers. Unlike in the Java or .NET space, the PHP community releases dozens of PHP applications to the open source community. Such applications include content management systems, e-commerce systems, and forums, to name a few. Unfortunately for PHP, many projects actually use the word "PHP" in their name. This causes security bugs in those applications to be confused mistakenly with the PHP technology itself, hurting the perception of PHP in the marketplace.
As mentioned, most of these security problems are on the application level and are a result of developers writing insecure PHP code. Making sure that all PHP developers are up-to-speed with security practices is a hard task. Until now, there has been a lack of materials and no simple rules for dos and don'ts, which has resulted in many insecure PHP applications being built. Chris Shiflett, the author of this book, has dedicated his career to improving PHP application-level security. He contributes many hours consulting with companies and writing articles. Just recently, he formed the PHP Security Consortiuma group of volunteers who help to educate the PHP community about how to write secure code.
With Essential PHP Security, Chris brings long-needed security guidelines to PHP developers everywhere. I am confident that the content in this book will be an asset to your development teams, and it should be an integral part of the knowledge any PHP development team has. Most of the topics in this book apply not only to PHP, but also to all other web development languages that face similar security threats. Whether you use PHP or a different technology, the subjects covered in this book will be relevant to you, although the specific solutions for the problems might differ slightly in some cases.
Happy and Secure PHPing.
Cupertino, California July 5, 2005 Andi Gutmans
|
