|
|
Posted by Pete on 11/03/05 17:03
rjames.clarke@gmail.com wrote:
> Security is the last thing I need to get a handle on BEFORE I start.
>
> I have not started yet, and I won't until I am confident the app is
> reasonably secure and that I have tried and true methods to recover
> after I am hacked.
Ahh, then I apologize. I was under the impression that you had already
written a mission critical app and then wanted to tack on security. Sorry
for the misunderstanding!
I'm sure you can see why I was horrified. ;*)
> Without about getting in to specifics there is not much validation of
> user input I can do besides stripping out special characters, I won't
> be saving zip codes or phone numbers or email address or data that is
> highly characterisable.
>
> The books I have seen on the subject appear lacking. Any suggestions
> on books?
Everything I know about PHP security and defensive programming I brought with
me from other languages, lurking in this newsgroup, spending a lot of time
reading other peoples' code. I find pouring through well written code,
especially when the programmer is gracious enough to reply to email, is the
best teacher. I'm self taught, unfortunately.
However, there seems to be books a few books specifically on PHP security:
http://www.nerdbooks.com/search.php?search=global%5Bphp%20and%20secur%5D&display=%5Bphp%20security%5D
It's hard to go wrong with ORA, but they've been slipping in quality lately.
I think all that Microsoft technology is rotting their brain. Nevertheless,
the book is published 2005 which is encouraging.
I've thumbed through the "best practices" chapter in the Wiley book. Seems
like a lot of obvious suggestions (like making a big deal about things like
"naming variables correctly".) The little bit I read was well written, but
the book was published 2003
Good luck with your app. I find that input validation requires a lot of
thought. Some people are fast at it. Being excellent at composing regexes
will certainly help!
Pete
Navigation:
[Reply to this message]
|