Mike sent me this book review of Pro PHP Security.
His joke: “528 pages? Didn’t these guys read your blog?”
I haven’t read the book, but it is obvious it’s going to be 528 pages, it is WROX, after all. 😀
If you are interested in a simple book on PHP security, I recommend Essential PHP Security instead. It shows that there is not much too PHP security and clocks in at a svelte 109 pages.
FWIW, I read this book because I received a free copy of this a while back from the publisher (perhaps contributing to my bias).
Speaking of compensating for something…
After reading the commentary on the review, I see nothing has changed. Ever notice how there can’t be an article on PHP on Slashdot without all these know-it-all ASP.NET, Java, Python, Perl, and Ruby web developers coming out of the woodwork to piss on PHP?
Perhaps that’s why PHP is the best language for web development: we’re the only advocates that actively express the limitations of our preferred language.
Not that all ASP.NET, Java, Python, Perl, and Ruby web developers are like that. The good ones are probably creating wonderful web applications instead of taking time off to espouse their pet theory as to why PHP enjoys an over 50% market share and their language doesn’t.
528 pages?!
Personally, I think that the php|architect’s Guide to PHP Security (Print + PDF Edition) by Ilia Alshanetsky is worth a read. It’s only 197 pages too. (http://www.phparch.com/shop_product.php?itemid=98)
Regards,
Rob…
Hey, matter of fact we _do_ read your blog, or at least I do. I even go back and read entries I missed while on vacation, like this one. 🙂
True, the book is long, but we take a system-up approach to security, which means that we don’t even get to PHP coding practice until the second section. There are plenty of resources that explain how to avoid SQL injection, but very few that describe (from a PHP point of view) how to responsibly encrypt and verify the data you’re storing–that’s the kind of thing we tried to do.
It’s a tough angle, because we really need every coder to understand the essentials, without getting bogged down by the big picture. But it’s blind luck if you can develop a truly secure application without understanding all the moving parts outside of PHP.
“We don’t even get to PHP coding practice until the second section.”
I bought this book, and I was very disappointed by this. Very. The book is supposedly about PHP security, so why must I wait until the second section to get to it? It feels like buying a book on PHP and having the first few hundred pages describing text editors and such. I’m not even making this up; these books exist.
Worse, there are only 4 relevant chapters in the entire book. It’s too heavy to tote around, yet somehow manages to have fewer than 100 pages of relevant content.
“There are plenty of resources that explain how to avoid SQL injection, but very few that describe…”
Do you honestly believe there are plenty of papers on web application security and too few on other security topics? Even if you do, don’t you at least think your book’s title and description should remove the word PHP?
“But it’s blind luck if you can develop a truly secure application without understanding all the moving parts outside of PHP.”
I can see that being true for a hobbyist PHP programmer whose responsibilities are broad, but in a professional environment, PHP programmers are responsible for making their code secure, not the server, network, etc. We have other people who take care of that stuff, and they’re reading other books…
(I resisted posting this on Amazon, because I don’t want to talk bad about someone’s book, but it would be nice if more authors would show their readers a bit more respect and not waste our time.)