Modern, security-conscious, PHP book?

I'm not a PHP developer, so I don't have any specific recommendations, but from my experience I can give some general guidance that may be useful.

First, buy the newest PHP security specific book you can find. As established as PHP is, and as soft as the technical book market has been for the last decade, there aren't a lot of options, but there are a few out there. "Securing PHP Web Applications" from 2008 is the newest I've been able to find. The newer books will not only have more up to date information on PHP, but also more information on current attacks and threats.

Second, for more general PHP development education, look for a book with something like "Advanced" or "Technical" in the title, like "PHP Advanced and Object-Oriented Programming" (I have no idea if that specific book is any good.) Beginner books (in any language or technology) are notorious for including disastrous shortcuts for the sake of simplicity, and rarely if ever worry about best practices...They're designed to show you how to get something working with the least amount of code possible, and it's almost always terrible code. Advanced books have the luxury of being able to target readers with prior knowledge where best practices are more important than absolute simplicity, and you're far more likely to find a book that incorporates good security practices.

Third, (and this may be obvious) don't rely only on a book for your security information. Internet resources such as the OWASP website will always be far more current and provide a greater amount of detail around current security practices and threats.


It's not a book, it's a site but I've been building up some PHP-related tutorials and articles on my site Websec.io (http://websec.io). They're definitely more recent than Chris' book...take a look.

EDIT: Since this post, I've also released a set of ebooks specifically about securing PHP applications: securingphp.com.