So suppose you are interested in developing a basic website. Without special technical training, let alone security specific know-how, but armed with Google and some terms you heard a friend throw around you get started.
Learning how to code
Apparently, the internet is build using tools called PHP and MySQL – a scripting language and database that are both open-source.
Let’s google for the obvious: “simple php mysql tutorial”
We are in luck! The third hit is some legit looking site. I mean, they are web “masters”! This is almost to easy. Let’s have a look.
After some quick setup, we are already sending and receiving our first web form. Looking good right?
oops, you are p0wned
Well, oops. Everybody who has ever looked at web application security, like the OWASP project and the OWASP top-10 of web application vulnerabilities is now looking at this code in horror.
This is a textbook example SQL injection vulnerability – or rather, a whole series of them.
Lessons learned?
We should probable re-introduce corporal punishment for these people. Or maybe we can collectively convince them to modify their tutorial. At least security testers won’t be out of work any time soon!
PS: at least W3Schools, hit #1, seems to do something sensible