Jay Blanchard wrote:
If there was a best practices book would you buy it?
I write books on PHP aimed at the beginner/intermediate level, and have a considerable collection of PHP books written by others. Two relatively recent books that struck me as being important are "Pro PHP Security" by Chris Snyder and Michael Southwell, and "Essential PHP Security" by Chris Shiflett. (I know there's also "php|architect's Guide to PHP Security" by Ilia Ashanetsky and Rasmus Lerdorf, but I haven't read it.)
The thing that struck me most about the books was that anyone thought there should be a need for them. Of course, there is a need - that's why they were written. However, surely security should be taught from the very beginning? Every book on PHP (or any other language) should be a "best practices" book.
The problem is that books are written by human beings, who are prone to mistakes (myself included), and whose own view of "best practice" might leave gaps in security. The other problem is that a lot of people who use PHP just want to copy and paste a script that "works". Even if the ready-made script has been designed with security in mind, using it without understanding *how* it works can lead to unforeseen problems.
By the way, I would welcome constructive criticism of the scripts in my books. I have tried to incorporate what I perceive to be the best practices at the time of writing, but I'm sure there's room for improvement.
-- David Powers -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php