#1
  1. Web Developer/Musician
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Nov 2004
    Location
    Tennessee Mountains
    Posts
    2,408
    Rep Power
    1031

    A good reminder of the importance of security


    I came across the following article and wanted to share it.

    http://arstechnica.com/security/2014...n-plain-sight/

    Take special note of the mention of SQL injection attacks at the end of the article. Out of all the more complex ways one can break into a web site, that one is arguably the easiest to prevent and the fact that even major web sites are still falling victim to this sort of attack is exactly why some of us here on devshed end up being drill sargents about security issues.

    It's one thing for some hacker to find a vulnerability in a new version of Apache or PHP itself, but if WE, the developer of the web site cannot guard a client site from an attack which every major programming language for the web including PHP has a solution for then we aren't being the professionals we are being paid to be.

    So when a new coder comes here and posts a string of SQL with a $_POST variable embedded in it, don't be surprised if one of us gets a little irritated or even asks where you got the code from if you found it on another site (because my first reflex depending on my mood, is to go to that site, fire up an email and light someone up). We have a number of members here well versed in web security, my advice to new users is to seek those members out and get advice from them on these issues (with a special nod to one member in particular who is very good on this issue).

    What happened to Target and the other companies recently hacked have real world consequences. Serous ones.

    Comments on this post

    • Jacques1 agrees
    • badger_fruit agrees
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Great post and very good advice.

    You really can't stress this enough: Technically, the problem of SQL injections and cross-site scripting has been solved. We have the tools to eliminate this risk entirely, and it's not difficult at all. The one and only reason why those attacks still happen is because programmers allow them to happen.

    So in addition to what Hammer65 already said, my advice for new programmers would be this:

    • Get a good understanding of common security risks and solutions.
    • Be sceptical. Don't use code from untrustworthy sources. Don't be satisfied with your own code just because “it works”.
    • If you're dealing with a potentially dangerous feature (like file uploads), check what other people have to say about this.
    • Whenever you have a question, just ask.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. Web Developer/Musician
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Nov 2004
    Location
    Tennessee Mountains
    Posts
    2,408
    Rep Power
    1031
    Originally Posted by Jacques1
    Great post and very good advice.

    You really can't stress this enough: Technically, the problem of SQL injections and cross-site scripting has been solved. We have the tools to eliminate this risk entirely, and it's not difficult at all. The one and only reason why those attacks still happen is because programmers allow them to happen.

    So in addition to what Hammer65 already said, my advice for new programmers would be this:

    • Get a good understanding of common security risks and solutions.
    • Be sceptical. Don't use code from untrustworthy sources. Don't be satisfied with your own code just because “it works”.
    • If you're dealing with a potentially dangerous feature (like file uploads), check what other people have to say about this.
    • Whenever you have a question, just ask.
    Ocassionally I've even been chastized for harping on this with the comment "well I just wanted to give a quick example, you can add the security later". Yeah but will they? Why not just use prepared statements right out of the gate for the code example? Doesn't that set a better example? We shouldn't ever hear of another web site being compromised this way.
    Last edited by Hammer65; January 16th, 2014 at 03:52 PM.
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by Hammer65
    Ocassionally I've even been chastized for harping on this with the comment "well I just wanted to give a quick example, you can add the security later".
    Yeah, unfortunately, you still have to argue over security sometimes. Or repeat the same warning again and again and again, which is a tiny bit frustrating.

    But I've also seen a lot of positive examples of people who actually fixed their code afterwards. So the effort isn't totally useless.
    The 6 worst sins of securityHow to (properly) access a MySQL database with PHP

    Why can’t I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo