Security is an ongoing process not something to add right before your application launches. In this book, you'll learn how to write secure PHP applications from first principles. You'll be able to identify the threats exposed by legacy applications and avoid following the same broken patterns while engineering your tools. This book will give you the background to avoid the risk most commonly encountered in web application development.

This book is for anyone getting their start in web development. It's for anyone who wants to understand better the common risks that plague newer applications. It's for seasoned developers who want a refresher on the common pitfalls and mistakes that may affect their code. It should be a resource you can turn to when building or maintaining your web application to ensure you're practicing a security-first mindset.

This book is divided primarily into two sections. The first covers the ten application security risks presented by the OWASP Top Ten (as of 2017). Each chapter in this section will detail:

The nature of the vulnerability to be avoided.
Example code illustrating how the vulnerability might appear in practice.
A detailed illustration of how to properly patch the vulnerability.
Notable examples where this vulnerability has impacted business in the wild.

Why wait until your site is attacked or your data is breached?

Prevent your exposure by being aware of the ways a malicious user might hijack your web site or API.

Security Principles for PHP Applications is a comprehensive guide to cultivating a security-first mindset. This book contains examples of vulnerable code side-by-side with solutions to harden it. Organized around the 2017 OWASP Top Ten list, topics covered include:

Injection Attacks such as SQL, OS, and LDAP caused by using untrusted data.
Authentication and Session Management to prevent compromising user passwords, kets, and session tokens.
Sensitive Data Exposure—adequately protecting data such as credit card numbers, tax IDs, and authentication credentials
Access Control and Password Handling to properly enforce what authenticated users are allowed to do.
PHP Security Settings to harden the server, framework, and libraries used to build your software.
Avoiding Cross-Site Scripting flaws by properly validating input and escaping output strings.
Adequately Logging and Monitoring to identify threats in real-time.
API Protection by detecting, preventing, and responding to manual and automated attacks
Preventing Cross-Site Request Forgery which can trick application users into sending forged HTTP requests.
Using components with known vulnerabilities
Insecure deserialization which can allow attackers to run arbitrary code
XML External Entities—guarding against injection attacks when parsing XML input.
Guarding against unvalidated redirects and forwards.
Using peer code reviews to identify security issues before they are deployed to production.