topr8 - 10:13 pm on May 29, 2008 (gmt 0)

i know we don't normally give book recommendations here but:
o'reilly essential php security is only a small one ... and yes, i know this exploit affected sql server and classic asp ...

however the book is more about principles than anything else. i'm not really a php person and i understood what it was all about.

essentially he talks about layers of security (just as dataguy mentions above) the author strongly emphasises:
a). the need to clean all untrusted data (if you are going to use it) - which is basically EVERYTHING that isn't hand coded into the page. querystrings, form values, cookie values, even http headers
b). set permissions at a minimum - if a user only needs to SELECT from a table then take away permissions for UPDATE, DELETE, INSERT etc. ... ideally let the user have exec permissions on stored procs and NO actual permissions on tables themselves.