Learning PHP

3 views
Skip to first unread message

rick0763

unread,
Oct 23, 2009, 10:15:57 PM10/23/09
to Atlanta PHP
I took a couple online courses in PHP/MySQL last year. Thought I was
getting the hang of things, and put my first two sites live...and got
hacked within 2 weeks. The security aspects of these courses were
weak, and I've been avoiding using my PHP ever since.

I'm still strongly interested in learning PHP, but feel I'd do best in
a classroom environment. Can anyone suggest such a program (preferably
in the NW Atlanta area)? If no classroom program exists, I'd at least
like to know how all of you learned your PHP, and if you had to start
over (given what you know now) how would you go about it? Note that I
have no programming experience other than a very brief into to
JavaScript, and the online PHP courses I took last year. I'd prefer to
simply start from scratch.

How would you advise a non-programmer to learn PHP, with an emphasis
on securing the code?

Thanks in advance,
Rick

jcorry

unread,
Oct 24, 2009, 9:29:05 AM10/24/09
to Atlanta PHP
I think Emory has a continuing ed program that includes PHP web
development.

Of course, you might also need to read and re-read this:
http://samizdat.mines.edu/howto/HowToBeAProgrammer.html

7263255

unread,
Oct 25, 2009, 10:26:47 AM10/25/09
to Atlanta PHP
Very good question.

Sadly, many PHP examples do not use best-practices.

The simplest answer is to find an experience, security-centric
programmer who can review your application with you. Just as it is
impossible to spot all of your own errors when writing text, having
someone else review your code is important no matter how experienced
you are.

I can't really tell what might have gone wrong for you based on your
email, but my first reaction is that you might be dealing with a non-
PHP vulnerability. Does your host have a reasonably up-to-date LAMP
stack? If they are running an out-of-date Apache, then someone could
use that to take over the entire server. At that point, penetrating
your application is trivial.

If you can tell us more about what your app does, how it does it, and
what the attack was like, I might be able to make some guesses as to
the kinds of things you should check.

Some of the information is very technical for new programmers, but I
highly recommend browsing through the Open Web Application Security
Group's materials, specifically http://www.owasp.org/index.php/Category:OWASP_Guide_Project
and http://www.owasp.org/index.php/Category:OWASP_Testing_Project . I
realize I just recommended a thousand pages of reading. Don't try to
absorb it all at once, but what you do understand on first reading
will get you thinking about the mentality of attackers.

Looking around on Google, the only thing I found that looks like it
might be what you are looking for is this book:
http://www.amazon.com/Professional-PHP5-Security-Ben-Ramsey/dp/0764596349/
which was written in part by our own Ben Ramsey.

I guess we need to make some kind of "security gotchas for beginning
PHP programmers" kind of resource. Maybe a presentation topic for a
future meeting?

You asked about how I learned security in PHP... I had a security
background before I started on PHP, having already built large
applications in Cold Fusion. I've also been a member of hacker
community (not all "hackers" break into things just as not all
"teenagers" do graffiti or bash mail boxes). That being said, I have
written some colossally bad code before. Fortunately, colleagues
spotted them before attackers did.

rick0763

unread,
Oct 25, 2009, 12:05:29 PM10/25/09
to Atlanta PHP
I appreciate all the responses so far! This speaks well for the
community.

The sites I built in the online courses were simply student
projects...a way to learn PHP. They were of no real consequence to me,
but at the time I was just starting out as a freelance web developer,
and thought these would help build a portfolio. Bad idea! But my point
is that I don't need those sites...they were just student work. Though
I suppose going back to them to spot the vulnerabilities would be a
good way to resume my PHP training.

What I was really hoping for right now was a direction to point
myself...a starting point. If you had to train a co-worker to begin
PHP programming, what books would you have him/her read, would you
suggest learning a specific framework or just get an intro to php
book? I will have a look at Ben Ramsey's book, but would still
appreciate hearing which books have been particularly helpful to
others. I have a couple PHP books on my shelf that were simply too
advanced for me, and I'd like to avoid another of those.

Again, I greatly appreciate all of the tips, and look forward to
hearing more tips from others.
Rick

On Oct 25, 10:26 am, 7263255 <googlegro...@bacn.randallbollig.com>
wrote:
> Very good question.
>
> Sadly, many PHP examples do not use best-practices.
>
> The simplest answer is to find an experience, security-centric
> programmer who can review your application with you.  Just as it is
> impossible to spot all of your own errors when writing text, having
> someone else review your code is important no matter how experienced
> you are.
>
> I can't really tell what might have gone wrong for you based on your
> email, but my first reaction is that you might be dealing with a non-
> PHP vulnerability.  Does your host have a reasonably up-to-date LAMP
> stack?  If they are running an out-of-date Apache, then someone could
> use that to take over the entire server.  At that point, penetrating
> your application is trivial.
>
> If you can tell us more about what your app does, how it does it, and
> what the attack was like, I might be able to make some guesses as to
> the kinds of things you should check.
>
> Some of the information is very technical for new programmers, but I
> highly recommend browsing through the Open Web Application Security
> Group's materials, specificallyhttp://www.owasp.org/index.php/Category:OWASP_Guide_Project
> andhttp://www.owasp.org/index.php/Category:OWASP_Testing_Project.  I
> realize I just recommended a thousand pages of reading.  Don't try to
> absorb it all at once, but what you do understand on first reading
> will get you thinking about the mentality of attackers.
>
> Looking around on Google, the only thing I found that looks like it
> might be what you are looking for is this book:http://www.amazon.com/Professional-PHP5-Security-Ben-Ramsey/dp/076459...

Ben Ramsey

unread,
Oct 25, 2009, 6:22:15 PM10/25/09
to google...@bacn.randallbollig.com, Atlanta PHP
On 10/25/09 7:26 AM, 7263255 wrote:
> Looking around on Google, the only thing I found that looks like it
> might be what you are looking for is this book:
> http://www.amazon.com/Professional-PHP5-Security-Ben-Ramsey/dp/0764596349/
> which was written in part by our own Ben Ramsey.

That book was never published, unfortunately. I'm not sure why Amazon
still has the data on it.

I would recommend Essential PHP Security by Chris Shiflett:
http://www.amazon.com/Essential-PHP-Security-Chris-Shiflett/dp/059600656X/

--
Ben Ramsey
Atlanta PHP
http://atlantaphp.org/

Ben Ramsey

unread,
Oct 25, 2009, 6:31:40 PM10/25/09
to rick...@gmail.com, Atlanta PHP
On 10/25/09 9:05 AM, rick0763 wrote:
> I appreciate all the responses so far! This speaks well for the
> community.

As for my experience, I learned on my own. I'm self-taught, but your
comment here hit the nail on the head. If it weren't for the great PHP
community, I would never have made it to where I am today.

There are lots of PHP forums and help resources online. Finding the good
ones is difficult, though. Here are a few of my recommendations:

* PHP.net General user list: http://php.net/mailing-lists.php
* ##php IRC Channel on Freenode
* #phpc IRC Channel on Freenode (not a help channel, but a community
channel; still an excellent resource for you to get tapped into the
community and find other resources)

And, really, that's it. I know that my first experiences getting help
with PHP were on that general user list. There are lots of great people
who subscribe to that, and they won't make you feel dumb for asking
newbie questions, so feel free to ask away!

To dig a little deeper into the PHP community, I'd recommend the following:

http://phpdeveloper.org/
http://www.planet-php.net/
http://phparch.com/
http://devzone.zend.com/

I know I'm leaving out tons of other resources, but these are the ones I
personally keep going back to day after day.

Again, the real key here is the community. In my opinion, the community
is what makes PHP so great.

BTW, for online training courses, check out the following:
http://phparch.com/c/phpa/training
http://www.zend.com/en/services/training/
http://www.ibuildings.co.uk/services/training/

Sharmishtha

unread,
Oct 25, 2009, 11:23:49 AM10/25/09
to Atlanta PHP
The main website for PHP is http://php.net/index.php. You can refer
functionality with good examples.
If you want to learn basics of security with some examples then
Webgoat is the great application.
You can find the details on http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project.
To learn more efficiently, try to write small applications with the
best practices given in http://talks.php.net/show/php-weekender
Enjoy coding.
Reply all
Reply to author
Forward
0 new messages