Chris Shiflett‘s latest book, Essential PHP Security, should be required reading for all PHP professionals. It is the necessary antidote to the common misperception that PHP applications fall short on security. With sparkling clarity, Chris demystifies dozens of attacks and provides both solid theoretical and practical bases for coding securely in PHP. Throughout his work as a PHP security consultant, and culminating in this book, Chris has defined the lexicon for web security–telling us precisely what it means to filter input, and precisely what it means to escape output–as well as when, how and why. This is nothing short of a seminal work on web application security as it applies specifically to PHP. I intend to make it required reading in my department, and recommend it highly to colleagues in other companies developing web applications in PHP.
While this book does not cover using encoders (like the Zend Encoder or IonCube Encoder) to heighten security in a plain-text scripting language, every other topic you would expect to be covered is treated–above all–with accuracy, and all in just over a hundred pages. Where other authors might potificate to fill pages, Chris crafted this book to live up to its title–it is indeed essential, distilled, and precise. Therefore there is little excuse from this point on to not have read it at least once, and thumb through it from time to time when developing or auditing a PHP application.