I am currently building a site and all the books I have read on PHP so far are just on functionality and not much on security. Is there a book that deals specifically with making your code/site secure? I don't want to go public and the next day have all my code changed or my database erased by SQL injection.
thanks
The Open Web Application Security Project Top 10 is a good place to start.
And here's a good round up of secure coding practices.
Here's a good place to start: https://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site
I find that Sitepoint has excellent articles as well. If you ever want a great article about a specific PHP topic, you can usually find one there. For SQL injection, how about http://www.sitepoint.com/article/1272
Actually, you probably won't have your database erased by sql injection because that requires query stacking. PHP's mysql_query() will only accept 1 query at a time. I suspect you read something about M$-SQL which is a very different beast. You would know this if you have tried to exploit a sql injection vulnerability.
It is absolutely impossible to fully understand secuirty until you have written an exploit. It is impossible to test any patch without attempting to exploit it. It is impossible to prove that anything is secure unless you have tried to break it. Thinking that you know what is secure is far more damaging than someone who knows they don't know.
So how do hackers exploit software? The first thing a hacker is going to do is test the target for vulnerabilities. Make sure you run testing tool like Acunetix's free xss tester or better yet a full test like Wapiti. Make sure your php configuration is locked down with PHPSecInfo. And of coarse familiarize yourself with the OWASP top 10.
精彩评论