1. Chapter 1 Introduction

   1. PHP Features

   2. Principles

   3. Practices

2. Chapter 2 Forms and URLs

   1. Forms and Data

   2. Semantic URL Attacks

   3. File Upload Attacks

   4. Cross-Site Scripting

   5. Cross-Site Request Forgeries

   6. Spoofed Form Submissions

   7. Spoofed HTTP Requests

3. Chapter 3 Databases and SQL

   1. Exposed Access Credentials

   2. SQL Injection

   3. Exposed Data

4. Chapter 4 Sessions and Cookies

   1. Cookie Theft

   2. Exposed Session Data

   3. Session Fixation

   4. Session Hijacking

5. Chapter 5 Includes

   1. Exposed Source Code

   2. Backdoor URLs

   3. Filename Manipulation

   4. Code Injection

6. Chapter 6 Files and Commands

   1. Traversing the Filesystem

   2. Remote File Risks

   3. Command Injection

7. Chapter 7 Authentication and Authorization

   1. Brute Force Attacks

   2. Password Sniffing

   3. Replay Attacks

   4. Persistent Logins

8. Chapter 8 Shared Hosting

   1. Exposed Source Code

   2. Exposed Session Data

   3. Session Injection

   4. Filesystem Browsing

   5. Safe Mode

1. Appendix A Configuration Directives

   1. allow_url_fopen

   2. disable_functions

   3. display_errors

   4. enable_dl

   5. error_reporting

   6. file_uploads

   7. log_errors

   8. magic_quotes_gpc

   9. memory_limit

   10. open_basedir

   11. register_globals

   12. safe_mode

2. Appendix B Functions

   1. eval()

   2. exec()

   3. file()

   4. file_get_contents()

   5. fopen()

   6. include

   7. passthru()

   8. phpinfo()

   9. popen()

   10. preg_replace()

   11. proc_open()

   12. readfile()

   13. require

   14. shell_exec()

   15. system()

3. Appendix C Cryptography

   1. Storing Passwords

   2. Using mcrypt

   3. Storing Credit Card Numbers

   4. Encrypting Session Data

4. About the Author

5. Colophon

About the Author Chris Shiflett is an internationally recognized expert in the field of PHP security and the founder and president of Brain Bulb, a PHP consultancy that offers a variety of services to clients around the world. Chris is a leader in the PHP community. He is the founder of the PHP Security Consortium, the founder of PHPCommunity.org, a member of the Zend PHP Advisory Board, and an author of the Zend PHP Certification. A prolific writer, Chris has regular columns in both PHP Magazine and php|architect and is the author of HTTP Developer's Handbook (Sams).

Colophon Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects.

The animal on the cover of Essential PHP Security is a monitor lizard (Varanus). It is a reptile found in the tropical and arid settings of Africa, Australia, Southern Asia, and the Malay Archipelago. There are approximately 50 species of monitor lizards, which are believed to have evolved from a common ancestor 45 million years ago. Depending on the species, monitors vary in coloring, markings, size, and weight. The largest monitor lizard is the Komodo dragon, which can weigh as much as 364 pounds and be up to 9 feet long. The smallest, the short-tailed monitor, is only around 3 inches long. Monitors are characterized by a flat head with a bony skull, which protects their brains from damage when they swallow their prey whole. Other characteristics include long, sharp claws and knife-like teeth that are curved inward.

Their diet consists of such fare as snails, beetles, grasshoppers, scorpions, crabs, fish, crocodile and bird eggs, and small rodents. Larger monitors will dine on carrion.

The monitor lizard holds its head up, giving it the appearance of being alert. When threatened, it intimidates its predators by inflating its throat and hissing loudly, while contracting its rib cage to make its body appear larger. Typically, a monitor's first reaction is to flee from danger, but it can become an aggressive opponent if cornered. Its strong jaws enable it to inflict serious wounds to enemies and prey alike. A monitor will also rear back on its hind legs and use its tail to deliver a stinging blow when attacking. Unlike some of its reptile cousins, a monitor cannot regenerate a new tail if it loses the one it was born with.

During breeding, males will become aggressive and fight for females. The female monitor typically lays 7 to 35 leathery eggs and, depending on the species, will make a nest in holes on riverbanks or in trees. Monitors that lay eggs on land cover their eggs with rotting vegetation to keep them warm. Eggs incubate for 8 to 10 weeks; the young cut their way out of the shells using a sharp egg tooth.

To date, it is legal to own monitor lizards as pets in the United States without a permit. However, the American Federation of Herpetoculturists (AFH) provides guidelines for potential owners that include keeping the lizards in escape-proof cages with good ventilation and handling larger species only when in the presence of another person. When handled from a young age by humans, monitors can become quite tame and adapt well to captivity. Potential owners should not be squeamish about feeding them a steady diet of live rodents.

Marlowe Shaeffer was the production editor for Essential PHP Security, and Norma Emory was the copyeditor. Jansen Fernald proofread the book. Jamie Peppard and Claire Cloutier provided quality control. Angela Howard wrote the index.

Karen Montgomery designed the cover of this book, based on a series design by Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Karen Montgomery produced the cover layout with Adobe InDesign CS using Adobe's ITC Garamond font.

David Futato designed the interior layout. This book was converted by Andrew Savikas to FrameMaker 5.5.6 with a format conversion tool created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano, Jessamyn Read, and Lesley Borash using Macromedia FreeHand MX and Adobe Photoshop CS. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Jansen Fernald.The production editors for Book Title, eMatter Edition were Ellie Cutler and Jeff Liggett. Linda Walsh was the product manager. Kathleen Wilson provided design support. Lenny Muellner, Mike Sierra, Erik Ray, and Benn Salter provided technical support. This eMatter Edition was produced with FrameMaker 5.5.6.