I wanted so much to love this book

I really wanted to write a glowing review of Mr. Shiflett's book, Essential PHP Security, but I can't help but dissapointed by the weaknesses.

The author's blog (http://shiflett.org/) and PHP security website (http://phpsec.org/) are good sources of information on PHP security and web creation in general. With the wisdom hinted at via his websites, I looked forward to more in depth insights and specifics in his book. Unfortunately for Mr. Shiflett, writing a book is not like writing 'bites' for a blog or marketing yourself as experienced and knowledgable. This book reads like an anthology of blog articles and seminar presentations and that weakness kills what should otherwise really be an essential text.

As another helpful reviewer pointed out, this book is a not appropriate for new PHP programmers. That reviewer also noted that it is precisely new initiates to PHP that need these lessons the most. The protective measures suggested in the book are presented superficially. The author highlights the vulnerability, but then only hints at a protective measure by providing a code snip-it which totally lacks context. Most novice readers expect examples of how to apply and integrate the suggested technique effectively and efficiently within the basics they already know.

Mr. Shiflett writes in his acknowledgements, "Written during one of the busiest years of my life ... [the people at O'reilly] have gone out of their way to make the entire process fit around my writing style and busy schedule."

Smoking gun?

For a full price book, the author had room, but perhaps not the desire to provide more substance. Concise does not have to be superficial. The book's main content is 85 pages -- followed by three appendices between pages 87 and 103. The index runs between pages 105 and 109. Substantive implementation details are missing and should have been included.

For example, in chapter 1 and later in chapter 2, the author recommends filtering input by identifying input, filtering the input, and distinguishing between filtered and unfiltered (tainted) data. This recommendation is explicitly explained twice in the book and repeated throughout. If you expect any examples demonstrating this in practical use, there are none. If you expect a class that exemplifies a way you might integrate this technique with your exsisting code, there is none. In other words, if you want to learn even remotely by example, you may be disappointed by this book.

As a last note, Appendix C talks briefly about cryptography in PHP. Based on this book, cryptography does not appear to be one of the author's strong areas of knowledge. For new PHP programmers who also work with SQL, Mr. Shiflett gives you just enough information to frustrate you (at best -- or hang yourself at worst). The author lists a number of other books and websites about cryptography on the first page of the Appendix. That is his best advice. Also take a look at http://www.openssl.org/ as an information resource.

In sum, I don't argue with the value of the hints Mr. Shiflett provides in his book, but this book is weak on substance and does not provide the examples necessary to teach the reader that the suggestions are practical for real implementation. Perhaps instead of this book, the many authors of the "How to PHP and MySQL" clone books need to integrate and implement these protective measures in their texts right from the start. Unfortunately, Mr. Shiflett's book does not bridge the existing gap. If you buy this book, expect to be searching other books and the web for ways to effectively and efficiently perform the tasks the author recommends. If you already know how to implement the measures, you probably did not need this book in the first place.

Other Reviews

• good php security book but not clear at times
• IT MAY BE SHORT, BUT SIZE DOESN'T MATTER!
• Good for non-php too
• I wanted so much to love this book
• Opened my eyes!