on July 15, 2004
I normally like to be charitable, but this publication really has nothing to recommend it. Don't touch it with a bargepole.
It's a book about secure, object orientated PHP applications by a guy who doesn't understand security, doesn't understand OOP and can't write.
Despite the title "Secure PHP", there are whole classes of security exploits which are not even mentioned. There is no comprehensive and authoritative discussion of security at any point.
The code samples are poorly laid out, riddled with errors, littered with notes to the author from the technical reviewer, and astonishingly repetitive. You will often get large chunks of code repeated many times just to show changes in a couple of lines buried somewhere in the middle.
Not that the code is worth the effort of reading. The design is often naive, the organisation unclear and the coding practices poor.
For example, he uses a naming convention for constants ($MY_CONSTANT) rather than defining proper constants as provided for by the PHP language via define().
Another example: on page 41 he exhorts his readers to use good naming standards. Yet the abstract application class that forms the core of the book is full of method names such as: name() number() currency() show_status()... I could go on. There are dozens of other equally cryptic examples.
The copy editing and proofreading is the worst I have ever seen in a technical book: it is a disgrace to the profession. There is a grammatical error in the second sentence! Here is a sample of what you can expect, from the 3rd page:
"Next, you need to consider how user interfaces will be presented and how can you allow for maximum customization that can be done without changing your core code. This is typically done by introducing external HTML templates for interface."
Even the section headings are ungrammatical: "Using relational database" (p21)
The 16 editors and proofreaders credited in the frontmatter should hang their heads in shame. This has severly damaged my confidence in Wiley as a brand - they clearly have no concept of quality control. I will be very wary of buying their products in future. The cover strapline "Timely. Practical. Reliable." is a sick joke...
on May 24, 2004
Like other reviewers, I bought this book with high hopes, only to end up feeling victimized.
At least 2/3 of the book is simply a print-out of the source code contained in the accompanying CD--no elaboration, no value-added. I might be fine with that, if the source were of any value, but it's riddled with errors: I counted 47 show-stoppers in the first 100 pages of printouts, then quit counting. It is literally impossible that the author ever tested this source as it is--not only are entire files missing from the CD, but there are misnamed variables and other bugs that prevent even the most basic parts of his 'framework' from ever running. The author's website (Evoknow) claims to have updated source, but the link to it is broken.
The source also contains plenty of hints that nobody copy-edited before printing (my favorite: a comment in a main application class--faithfully reprinted in the book's text--that asks "Asif, what is this function doing here?" For the record, I don't know what it's doing there either, Asif.). Some listings are printed twice, one instance running right into the next; other bad/good coding-practice comparisons make it difficult to tell whether you're looking at the bad or the good.
Possibly the worst job of copy editing I've ever seen in any book--and regrettably, I read a lot of badly edited books. I'll never buy another book by this author, and my trust in Wiley has been seriously damaged as well.
on February 15, 2004
I have a few issues to raise regarding the quality of this book and the supporting source code.
Firstly, the book is littered with errors, typos, and poor grammar. It appears as though it was rushed into publication without any real editorial and technical review. Now this is nothing new in the world of IT books, but it is always disappointing. And there is not even an errata list on the wiley site or the evoknow site.
Secondly, the source code does not run out of the box. This is normally ok if you are given clear instructions as to setting up and configuring, but alas there is no such information. Of course there have been source code updates (which are completely different file structure to the original on the cd, rendering the cd essentially useless) which indicates again that the publication was rushed without proper scrutiny and testing. Loading the code tree under "demo" and browsing to your web server accordingly immediately comes up with errors when loading the index.php home page. Not a good sign, I mean come on, is that the way to start us off? And how exactly has the source code itself changed? How can one know whether what is being read will match the supplied source code???
Thirdly, you have made it clear your source code has not been tested on a Windows environment. I find this a major oversight as a large proportion of PHP development is done on Windows, even if it ends up running on *nix servers. There are also no setup instructions for Windows, only Linux. This is a seriously flawed presumption in my mind.
I am hoping things get better with this book once I am able to set up and run the applications properly, and see the theory in the book (which is useful in the majority of cases) in practice. However, after paying ... here in Australia, I am left with a sour taste, and will think twice before buying a Wiley or Kabir publication again.
Another thing that gets my goat is the boldfaced use of Internet Explorer, MS Access, MS Excel for presenting the screen dumps and what looks like MS Visio for the system diagrams. It just seems hypocritcal that this would occur, for at the same time not providing install instructions and unsupported and untested code for the Windows platform. I dunno about anyone else, but it just doesn't sit well with me. Part IV is totally useless to anyone not using Linux, and Red Hat 8 at that. Not only has this book marginalised Windows users, but reduced its usefulness to one flavour of Linux.
This could have been a good book. It aims high, but falls terribly short. The framework might come of some use, but a lot of hacking about just to get something out of this disaster may prove less than worthy of my time and effort. Reading the source code from the book itself is just too painful. Poorly formatted, lots of repetition, and basically every line of the complete application code is printed. Whatever happened to highlighting important code as necessary to avoid redundancy? The problem with this kinda thing is that its difficult to write less but say more, and the bulk of this book shows just how much effort was avoided.
It is a shame, because a book this ambitious is needed for PHP, but it really only provides a model of what NOT to do. I am out of pocket, disappointed, and will try to recover something (if not my dignity) on Ebay.
on June 3, 2003
When I saw this book at the local bookstore (one of only 10 PHP related books in stock), I thought, "Awesome! I've been looking for some more securing applications techniques." It turned out to be a big let down.
The book is roughtly 750 pages (large print), the first 50 or so was an introduction and gave a few bad examples vs. good examples of code (which was good, and actually made me think the rest of the book was going to be good), then jumped directly into "here's 650 pages worth of class based applications for you to use". The last 40-50 pages of the book was a chapter called something to the effect of "Optimizing and Securing PHP". Of the whole book, this was the most dissapointing aspect, split equally between the 2 topics. I thought the whole book was going to be about writing secure PHP, not just 20 pages.
Even the sample code they gave was in my opinion, poor. The author encouraged a strong misuse of OOP, having every single script have its own class dedicated to it. For example, one of the 50 "ready to use applications" was for handling users for their intranet. They wrote a class with methods for updating the user's information, adding a user, selecting the user's email address from the database, etc. The goal of OOP is to be abstract so that it can be used in more than one area, something the author didn't bother to learn before he wrote this book.
Even the optimizing portion of the last chapter was a big let down. It felt like there was really only one example of code optimization. The rest of the pages explained how to make a particular PEAR script do a speed test on your code. How is that supposed to help me if I'm not even certain how to write it more efficiently?
I'm not interested in a book that shovels me a bunch of code the author wrote. If I wanted free code, there's tons of sites out there for that. I want a book that's going to teach me how to think more securely and write more securely and think about the best/most optimized way to write a particular portion of code. Sadly, this book isn't it.
on June 15, 2004
God help you if you buy it.
on May 26, 2003
This looks like a good object-oriented framework for building PHP apps, but what is up with the restrictive license that accompanies the programming examples in the book? (see the back page of the book, and the license.txt file on the disk)
"You may not (i) rent or lease the Software, (ii) copy or reproduce the software through a LAN or other network system or through any computer subscriber system or bulletin- board system, or (iii) modify, adapt, or create derivative works based on the Software."
I've never seen a book try to restrice the programming examples in this way.
Stay away if you intend to build professional products. There are many other frameworks available for PHP OOP.
on January 14, 2004
I bought this book to jump start some secure PHP Web applications that I would like to develop. I spent many hours to fix the sloppy, careless and untested sample code provided.
No doubt, I am thus sorely disappointed in the Wiley Technology Publishing's promise of "Timely. Practical. Reliable." printed on both the front and back cover.
This book is anything but practical, and definitely not reliable. It could have been timely, but by the time you get the code working, it is too late to do anything useful with it. Don't waste your good money and time supporting this sloppy effort.
on September 17, 2003
The book is not worth the retail price. I guess it was worth it for me since I got a used copy of the book. But this book is more about 50 random applications than about secure programming or writing better code. It would have been good if the book cut down on the application examples and maybe dump it somewhere online (only) and concentrate on making better programmers of the readers. Acutally a majority of the PHP + MySQL books today are not up to par. and that's being kind.
on July 11, 2004
I begged my boss to buy this book because of the title. Hope to reduce workload and shorter development time. Obviously, it seems that the publisher just another company that have one motive : make a lot of money! And for the author, another book to add one more stream of income for his retirement!!! If you want to buy the book, do not buy it. Borrow from your local library instead.
on August 9, 2003
The book is simply a wonderful collection of useful applications and proper documentation of those. Everyone should keep a copy of the book, becuase it will come real handy while developing such applications. While describing the applications, the writer rightly considers reader's perspective. That, for me, was the most wonderful aspect of this book.