Super l33t programming lessons – or why the web is so insecure

So suppose you are interested in developing a basic website. Without special technical training, let alone security specific know-how, but armed with Google and some terms you heard a friend throw around you get started.

Learning how to code

Apparently, the internet is build using tools called PHP and MySQL – a scripting language and database that are both open-source.

Let’s google for the obvious: “simple php mysql tutorial”

There are masters out there!

We are in luck! The third hit is some legit looking site. I mean, they are web “masters”! This is almost to easy. Let’s have a look.

After some quick setup, we are already sending and receiving our first web form. Looking good right?

Screen Shot 2014-10-03 at 19.54.26

oops, you are p0wned

Well, oops. Everybody who has ever looked at web application security, like the OWASP project and the OWASP top-10 of web application vulnerabilities is now looking at this code in horror.

This is a textbook example SQL injection vulnerability – or rather, a whole series of them.

Lessons learned?

We should probable re-introduce corporal punishment for these people. Or maybe we can collectively convince them to modify their tutorial. At least security testers won’t be out of work any time soon!

PS: at least W3Schools, hit #1, seems to do something sensible

Leave a Reply

Your email address will not be published. Required fields are marked *