Chapter 9: Security and Performance
286
Additional Security Resources
Web application security is an enormous field, and there ’ s no way to do it justice in such a short space.
If you ’ re interested in continuing your education, here are a few resources that will help you do that:The Web Application Hacker ’ s Handbook: Discovering and Exploiting Security Flaws , by Dafydd
Stuttard and Marcus Pinto — This book is a guide to identifying security flaws in web
applications using real - world examples.Essential PHP Security , by Chris Shiflett — This book is short, but don ’ t assume it ’ s somehow
deficient because of that. Just a single read - through will improve your security posture and
educate you on just about everything you need to know.PHP|architect ’ s Guide to PHP Security , by Ilia Alshanetsky — Ilia ’ s book will educate you on
some of the finer points of SQL injection, buffer overflow attacks, and other attacks.Apache Security , by Ivan Ristic — Ivan ’ s book covers security principles (I especially like his take
on security as a process, not an outcome) and delves deeply into different aspects of Apache
security, like SSL, denial of service attacks, secure PHP installation, and more.PHP Security Consortium ( http://phpsec.org/ ) — This web site contains various articles on
security topics like input validation, spoofing, and XSS.Web Application Security – Web Application Component Toolkit ( http://www.phpwact.org/
security/web_application_security ) — This page provides a list of common security
vulnerabilities and concerns that are easy to fix at the application development level. Included
in the list are additional resources as well as catalogs of well - known attacks (and their
countermeasures).OWASP ( http://owasp.org ) — OWASP is a Wiki run by the Open Web Application Security
Project.Performance
Performance is usually the bane of any development effort. Things that you put together on a
development server simply never seem to stand up to the pounding of real traffic. Once again, however,
CodeIgniter comes to your aid with a set of profiling and benchmarking tools that allows you to see how
your pages (and even sections of code) perform.Profiling
If you ’ re curious about performance of any page, you can turn on profiling and get a detailed report of
what ’ s happening. This is a useful thing to do before a site goes live.To turn on profiling, open your Welcome controller in an editor, and make the following change to the
constructor:function Welcome(){
parent::Controller();
$this- > output- > enable_profiler(TRUE);
}