[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now

Vugranam Sreedhar vugranam at
Sat Feb 11 12:43:23 EST 2006

BTW, are there any code analysis or static analysis tools for automatically
detecting security problems that you describe in your book?
Zend IDE seem to do some shallow code analysis (at least that is the
impression I get when I read their IDE product description...)

With regards,



Research Staff Member
TJ Watson Research Center
T/L 863-7325
Ext: 914-784-7325

             Chris Shiflett                                                
             <shiflett at                                             
             >                                                          To 
             Sent by:                  NYPHP Talk <talk at>   
             talk-bounces at list                                          cc 
                                       Re: [nycphp-talk] PHP Security: The  
             02/11/2006 11:49          Proper Choice Is to Do It Now       
             Please respond to                                             
                NYPHP Talk                                                 
             <talk at lists.nyphp                                             

Hi Peter,

> The content of Chris Shiflett's Essential PHP Security from
> O'Reilly is poised right now to be put online as a Wiki.

Can you elaborate? There are no plans to do this, although I've
considered enhancing the PHP Security Guide to be a condensed version of
the book. This would require some negotiation with O'Reilly. :-)

There are a few free resources available online, including two free
chapters and most of the code:

> It should accept about 90 days of moderated updates and then be
> openly promoted as the accepted, standardized "Using PHP
> Securely" guide for all PHP programmers.

Web application security is a young and evolving discipline, so any
useful documentation should evolve as well.

> All PHP tutorials online that are old with insecure practices
> should have a simple one line link right under the tutorial
> title: "This tutorial may contain insecure techniques. See:
> [standardized, industry-supported secure PHP programming article]
> here before you begin."

I know what you mean. Ideally, online resources that teach bad practices
would be corrected, but the sheer magnitude of this problem makes any
progress difficult.

> Additionally, I have promoted in this venue before that the
> default php.ini from should be a hardened .ini with shell
> and fopen functions disabled by default.

I definitely agree that allow_url_fopen should be disabled by default,
at least in php.ini-recommended.

> PHP security needs to be further demystified.

Agreed. Given the right background, it's a pretty simple topic.

> Chris's guide is quite sufficient to help engender a positive
> change in the nature of how we all program PHP.

I sure hope so. :-)


Chris Shiflett
Brain Bulb, The PHP Consultancy
New York PHP Community Talk Mailing List
New York PHP Conference and Expo 2006
Show Your Participation in New York PHP

More information about the talk mailing list