Professional CodeIgniter, Thomas Myer
Chapter 9: Security and Performance
286
Additional Security Resources
Web application security is an enormous field, and there ' s no way to do it justice in such a short space.
If you ' re interested in continuing your education, here are a few resources that will help you do that:
The Web Application Hacker ' s Handbook: Discovering and Exploiting Security Flaws , by Dafydd
Stuttard and Marcus Pinto -- This book is a guide to identifying security flaws in web
applications using real - world examples.
Essential PHP Security , by Chris Shiflett -- This book is short, but don ' t assume it ' s somehow
deficient because of that. Just a single read - through will improve your security posture and
educate you on just about everything you need to know.
PHP|architect ' s Guide to PHP Security , by Ilia Alshanetsky -- Ilia ' s book will educate you on
some of the finer points of SQL injection, buffer overflow attacks, and other attacks.
Apache Security , by Ivan Ristic -- Ivan ' s book covers security principles (I especially like his take
on security as a process, not an outcome) and delves deeply into different aspects of Apache
security, like SSL, denial of service attacks, secure PHP installation, and more.
PHP Security Consortium (
http://phpsec.org/
) -- This web site contains various articles on
security topics like input validation, spoofing, and XSS.
Web Application Security � Web Application Component Toolkit (
www.phpwact.org/
security/web_application_security
) -- This page provides a list of common security
vulnerabilities and concerns that are easy to fix at the application development level. Included
in the list are additional resources as well as catalogs of well - known attacks (and their
countermeasures).
in the list are additional resources as well as catalogs of well - known attacks (and their
countermeasures).
OWASP (
http://owasp.org
) -- OWASP is a Wiki run by the Open Web Application Security
Project.
Performance
Performance is usually the bane of any development effort. Things that you put together on a
development server simply never seem to stand up to the pounding of real traffic. Once again, however,
CodeIgniter comes to your aid with a set of profiling and benchmarking tools that allows you to see how
your pages (and even sections of code) perform.
Profiling
If you ' re curious about performance of any page, you can turn on profiling and get a detailed report of
what ' s happening. This is a useful thing to do before a site goes live.
To turn on profiling, open your Welcome controller in an editor, and make the following change to the
constructor:
function Welcome(){
parent::Controller();
$this-
>
output-
>
enable_profiler(TRUE);
}
c09.indd 286
c09.indd 286
6/10/08 5:38:04 PM
6/10/08 5:38:04 PM