Secure PHP Development: Building 50 Practical Applications
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2003 by Wiley Publishing, Inc., Indianapolis, Indiana
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 0-7645-4966-9
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1B/SU/QU/QT/IN
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by
any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written
permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the
Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700.
Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc.,
10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-Mail:

is a trademark of Wiley Publishing, Inc.
LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USED
THEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR
WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS
BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES
REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ADVICE AND STRATEGIES CONTAINED
HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A
PROFESSIONAL WHERE APPROPRIATE. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE
FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED

TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.
For general information on our other products and services or to obtain technical support, please contact our
Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317)
572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not
be available in electronic books.
Library of Congress Cataloging-in-Publication Data
Library of Congress Control Number: 2003101844
Trademarks: Wiley, the Wiley Publishing logo, and related trade dress are trademarks or registered
trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without
written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is
not associated with any product or vendor mentioned in this book.
01549669 FM.qxd 4/4/03 9:23 AM Page iv
Credits
SENIOR ACQUISITIONS EDITOR
Sharon Cox
ACQUISITIONS EDITOR
Debra Williams Cauley
PROJECT EDITOR
Sharon Nash
DEVELOPMENT EDITORS
Rosemarie Graham
Maryann Steinhart
TECHNICAL EDITORS
Richard Lynch
Bill Patterson
COPY EDITORS
Elizabeth Kuball
Luann Rouff
EDITORIAL MANAGER

Mary Beth Wakefield
VICE PRESIDENT & EXECUTIVE GROUP
PUBLISHER
Richard Swadley
VICE PRESIDENT AND EXECUTIVE
PUBLISHER
Bob Ipsen
VICE PRESIDENT AND PUBLISHER
Joseph B. Wikert
EXECUTIVE EDITORIAL DIRECTOR
Mary Bednarek
PROJECT COORDINATOR
Dale White
GRAPHICS AND PRODUCTION
SPECIALISTS
Beth Brooks
Kristin McMullan
Heather Pope
QUALITY CONTROL TECHNICIANS
Tyler Connoley
David Faust
Andy Hollandbeck
PROOFREADING AND INDEXING
TECHBOOKS Production Services
01549669 FM.qxd 4/4/03 9:23 AM Page v
About the Author
Mohammed J. Kabir is CEO and founder of EVOKNOW, Inc. His company
(www.evoknow.com) develops software using LAMP (Linux, Apache, MySQL, and
PHP), Java, and C++. It specializes in custom software development and offers
security consulting services to many companies around the globe.

When he is not busy managing software projects or writing books, Kabir enjoys
riding mountain bikes and watching sci-fi movies. Kabir studied computer engi-
neering at California State University, Sacramento, and is also the author of Apache
Server 2 Bible, Apache Server Administrator’s Handbook, and Red Hat Server 8. You
can contact Kabir via e-mail at or visit the book’s Web site at
/>01549669 FM.qxd 4/4/03 9:23 AM Page vi
Preface
Welcome to Secure PHP Development: Building 50 Practical Applications. PHP
has come a long way since its first incarnation as a Perl script. Now PHP is a pow-
erful Web scripting language with object-oriented programming support. Slowly
but steadily it has entered the non-Web scripting arena often reserved for Perl and
other shell scripting languages. Arguably, PHP is one of the most popular Web plat-
forms. In this book you will learn about how to secure PHP applications, how to
develop and use an application framework to develop many useful applications for
both Internet and intranet Web sites.
Is This Book for You?
This is not a PHP language book for use as reference. There are many good PHP
language books out there. This book is designed for intermediate- to advanced-
level PHP developers who can review the fifty PHP applications developed for this
book and deploy them as is or customize them as needed. However, it is entirely
possible for someone with very little PHP background to deploy the applications
developed for this book. Therefore, even if you are not currently a PHP developer,
you can make use of all the applications with very little configuration changes.
If you are looking for example applications that have defined features and
implementation requirements, and you want to learn how applications are devel-
oped by professional developers, this book a great starting point. Here you will find
numerous examples of applications that have been designed from the ground up
using a central application framework, which was designed from scratch for this
book.
The book shows developers how PHP applications can be developed by keeping

security considerations in focus and by taking advantage of an object-oriented
approach to PHP programming whenever possible to develop highly maintainable,
extensible applications for Web and intranet use.
How This Book Is Organized
The book is organized into seven parts.
Part I: Designing PHP Applications
Part I is all about designing practical PHP applications while understanding and
avoiding security risks. In this part, you learn about practical design and imple-
mentation considerations, best practices, and security risks and the techniques you
can take to avoid them.
vii
01549669 FM.qxd 4/4/03 9:23 AM Page vii
Part II: Developing Intranet Solutions
Part II introduces you to the central application framework upon which almost all
the Web and intranet applications designed and developed for this book are based.
The central application framework is written as a set of object-oriented PHP classes.
Using this framework of classes, you are shown how to develop a set of intranet
applications to provide central authentication, user management, simple document
publishing, contact management, shared calendar, and online help for your intranet
users. Because all of the applications in this part of the book are based on the core
classes discussed in the beginning of the book, you will see how that architecture
works very well for developing most common applications used in modern
intranets.
Part III: Developing E-mail Solutions
Part III deals with e-mail applications. These chapters describe a suite of e-mail
applications such as Tell-a-Friend applications, e-mail-based survey applications,
and a MySQL database-driven e-mail campaign system that sends, tracks, and
reports e-mail campaigns.
Part IV: Using PHP for Sysadmin Tasks
Part IV focuses on demonstrating how PHP can become a command-line scripting

platform for managing many system administration tasks. In these chapters, you
learn to work with many command-line scripts that are designed for small, specific
tasks and can be run automatically via Cron or other scheduling facilities.
Applications developed in this part include the Apache virtual host configuration
generator, the BIND zone generator, a multi-user e-mail reminder tool, a POP3
spam filtering tool, a hard disk partition monitoring tool, a system load monitoring
tool, and more.
Part V: Internet Applications
In Part V, you learn how to develop a generic Web form management application
suite and a voting (poll) application for your Web site. Because Web form manage-
ment is the most common task PHP performs, you will learn a general-purpose
design that shows you how PHP can be used to centralize data collection from Web
visitors, a critical purpose of most Web sites.
Part VI: Tuning and Securing PHP Applications
In this part, you learn ways to fine-tune your PHP applications for speed and secu-
rity. You will learn how to benchmark your applications, and cache your applica-
tion output and even application opcode. You will also learn to protect your
applications using various security measures involving PHP development and the
Apache Web server platform.
viii Preface
01549669 FM.qxd 4/4/03 9:23 AM Page viii