I just got back from China to find out that Pro PHP Security, which I co-authored with Mike Southwell, was reviewed on Slashdot.
Pro PHP Security is arguably the most comprehensive PHP security book available, and is highly recommended to any developer or administrator of a PHP-based Web site.Wow, that's exactly what we set out to do. Yay!
And, inspired by the "Anonymous Coward" who tried to paint me as a fraud for recommending addslashes(), here's some free advice about escaping values in MySQL+PHP applications, from a recent post I made to the NYPHP Talk mailing list:
The complexity of the solution depends one what, exactly, you need to accomplish. Assuming you are working on a PHP+MySQL application, the simplest possible approach is just to use mysql_real_escape_string() on all values that are inserted into the database, and htmlentities() on all values that come out of the database for display on a web page.
This is all that "security" really demands.
You may also wish to avoid any error messages that might occur when your application tries to insert a string into an integer field. The is_numeric() function is great for this. I advise against using the ctype functions, as they are somewhat counterintuitive when it comes to checking empty values.
It's also a good idea to check the length of strings before inserting them into varchar fields, using the strlen() function. MySQL won't throw an error if you insert a string that's too long; you'll only find out later that the string was truncated and the data lost.
Maybe the AC had me confused with a different Chris Snyder?
By Chris Snyder on July 27, 2006 at 6:58pm