php security books

In article <EC.6A.13260.CD47B864@pb1.pair.com>
ross@aztechost.com("Ross") wrote:



> http://amazon.co.uk/s/ref=nb_ss_w_h_...?initialSearch
¾*
> =1&url=search-alias%3Daps&field-keywords=php+security&Go.x=0&Go.y=0&Go
> =Go
¾**
> looking at the top 3 on the list here, personally I quite like the
> O'Reilly books. Can someone recommend one of these or any other that
> will give me a good solid understanding of PHP security?

Avoid the O'Reilly one as it is flawed. Go for The PHP|Architect one.
I haven't had a chance to read Chris Snyder's one yet but it has the
worst amazon rating of the 3.

***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

In article <200707041544.30740.php@wastedtimes.net>
php@wastedtimes.net(Mark Kelly) wrote:

> Hi.
¾**
> On Wednesday 04 July 2007 13:01, Andrew Hutchings wrote:
¾**
>> Avoid the O'Reilly one as it is flawed.

> In what way?

Its written by Chris Shiflett, isn't that enough reason?


***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

In article <468BBF64.4070709@gmail.com> stuttle@gmail.com (Stut)
wrote:

> Andrew Hutchings wrote:
> > In article <200707041544.30740.php@wastedtimes.net>
> > php@wastedtimes.net(Mark Kelly) wrote:
> >
> >> Hi.
> >>
> >> On Wednesday 04 July 2007 13:01, Andrew Hutchings
> wrote:>>
> >>> Avoid the O'Reilly one as it is flawed.
> >
> >> In what way?
> >
> > Its written by Chris Shiflett, isn't that enough reason?
¾**
> There's no need for that without justification. Please justify
> that comment.

Simply because he has written several articles about fixing holes in
PHP code which actually create new holes. And there examples of this
in the book as well.

***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

In article
<7dd2dc0b0707041022k29aec05bxee83073a8e0d09cb@mail .gmail.com>quickshift
in@gmail.com ("Nathan Nobbe") wrote:

> ------=_Part_178329_18179255.1183569772294
> Content-Type: text/plain; charset=ISO-8859-1;
> format=flowedContent-Transfer-Encoding: 7bit
> Content-Disposition: inline
¾**
> this is getting good; i want to know why its *flawed* now too.
¾**
> no pressure :)
¾**

OK, well, for example page 3 of the book suggests making PHP output
errors into Apache's error_log. To do this on Linux it means PHP
would have to be run as root.

***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

In article <468BE67E.5050504@iamjochem.com>
jochem@iamjochem.com(Jochem Maas) wrote:

> > OK, well, for example page 3 of the book suggests making
> PHP output > errors into Apache's error_log. To do this on Linux
> it means PHP> would have to be run as root.
¾**
> huh? funny thing is that on all the machines I work with Apache
> runs under it own user (apart from at start up when it briefly urns
> as root before switching), I run php as an Apache module (I'm
> assuming we're not talking about php cli given that we're mentioning
> Apache), this means php is running in the context of the apache
> user.... and btw is quite capable of logging to the Apache error_log

Exactly, the initial process runs as root, and this is the process
that does the logging, it would be another security issue to have your
logs set as apache's owner. PHP is run as apache's user (unless you
use something suPHP) so if you use PHP's error handler function (not
the thing that sends data to the error logs) to write to apache's logs
they would either have to be owned by apache or php would have to run
as root.
> running php as a CGI probably means you can't have php (which is
> probably running in the context of the site owners' user account)
> log to the general apache error_log but in such cases I would assume
> that the server configuration included error and access loggingon a
> per (v)host basis.

Indeed, I was talking more mod_php side of things, which judging by
the wording of the book is also the assumption made.
> seems like your spreading FUD - I doubt Chris Shiflett is perfect
> and I'm sure he's probably made a few security mistakes of his own
> but your current example is not one of themAFAICT.

You are entitled to your opinions, and I am entitled to mine. If you
believe I am spreading FUD, so be it. But that example _is_ a
security flaw.

***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

In article
<1f0401c7be6a$2ff95a30$0301a8c0@tmesa.com>bedougla s@earthlink.net
("bruce") wrote:

> andrew...
¾**
> are you sure about this... i would have thought that if you have an
> apache user 'apache' and allow php to be run as/by 'apache' than this
> would providecomplete access to anything php needs to do as 'apache'.

Logging in apache is done (in standard configurations) by process
owned as root, and in most configurations the logs are owned as root
and are not readable by any other user.
> this should definitely work if you allow the 'group' for the apache
> err logfiles be accessed by this user...

If you do this then it is possible for a apache process using PHP to
read the error logs and an abused script could show a potential hacker
the layout to your site or other useful information.
> so.. i ask again.. are you sure about this..

Yep.

***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

In article
<7dd2dc0b0707041206y2315101iadd8201d0367400e@mail. gmail.com>quickshifti
n@gmail.com ("Nathan Nobbe") wrote:

> ------@art_179411_9563272.1183575986791
> Content-Type: text/plain; charset‹O-8859-1;
> format\owedContent-Transfer-Encoding: quoted-printable
> Content-Disposition: inline
¾**
> the root user issue aside, i still dedicate a separate file in
> /var/logfor my php apps.

If is a separate file then that is cool, in fact being in /var/log you
could even have it rotate with log_rotate (well you could do that
anywhere really, but for completeness...).

***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

In article <1625128781.20070704192633@corephp.co.uk>
rich@corephp.co.uk(Richard Davey) wrote:

> Hi Andrew,
¾**
> Wednesday, July 4, 2007, 4:23:38 PM, you wrote:
¾**
>>>> Avoid the O'Reilly one as it is flawed.

>>> In what way?

>> Its written by Chris Shiflett, isn't that enough reason?

> No, not really. The errata are clearly published online, and while
> you could argue that some of them shouldn't have existed in the text
> in the first place, security is such a moveable feast that whatever
> is written today will almost surely have changed within a very short
> periodof time, regardless of the author.

Sure, and I'm not debating the rate that security moves, or that there
are newer techniques for some of the stuff. I haven't read the errata
to be honest, do people ever read those? (open question)
> If just one person takes something useful away from his book, that
> makes them think "damn yes, I DO allow that in my scripts!", then it
> was a worthwhile purchase. He (along with a number of others) have
> done a wonderful job of raising the PROFILE of security (or lack
> thereof) in PHP applications and the PHP world in general. Before the
> likes of him and Steffan started blogging and writing about all the
> issues out there it was a piss-poorly covered area that
> mostdevelopers (*especially* new ones) ignored or were not even aware
> of.
¾**
> Even if some of the techniques in the book are now flawed, the
> profile and awareness he has generated did nothing to harm the PHP
> community,and does not warrant your shit slinging.

I have no doubt he is a great bloke and a great public speaker / PR
for PHP application level security, I apologise if it sounded like
FUDing (why does that sound dirty?). I just don't like / agree with
his book or some of the security articles he wrote (again, I haven't
read them in quite a while). I think Ilia's book is a lot better.
I also agree that awareness is no bad thing, but people should also be
aware he is not the be all and end all of PHP application level
security, and he has made mistakes (as have I and probably everyone
else here at some point).
If Chris were to re-write into a second edition, then who knows, I may
like it.

***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

In article <1083608854.20070704223909@corephp.co.uk>
rich@corephp.co.uk(Richard Davey) wrote:


> I actually agree with you about Ilia's book, it is the best of the
> three available (the Pro PHP Security one is certainly the worst),
> although there are areas where even Ilia basically shrugs his
> shoulders in the text and says "you can never have it 100%" and
> sortof gives up on you :)
¾**
> All three books are now well behind the times though imho.
¾**

Indeed, in fact I think Ilia's slides for this years PHPtek make a
great kind companion to the book. It would be great if he merged the
slides and book into a second edition.
Although in his slides he mentions that mysql_real_escape_string can
be attacked with multibyte characters, but it looks like that hasn't
been the case for a while. Not that I am really complaining about
that, I prefer prepared statements and would use them all the time if
it wasn't for the fact that those queries aren't cached until recent
versions of MySQL*5.1
Anyway, I'm rambling now ;)

***
Andrew Hutchings - LinuxJedi - http://www.linuxjedi.co.uk/
Windows is the path to the darkside...Windows leads to Blue Screen. Blue Screen leads to downtime. Downtime leads to suffering...I sense much Windows in you...

http://amazon.co.uk/s/ref=nb_ss_w_h_...0&Go.y=0&Go=Go


looking at the top 3 on the list here, personally I quite like the O'Reilly
books. Can someone recommend one of these or any other that will give me a
good solid understanding of PHP security?


Thanks,


Ross