January 16th, 2014, 10:55 AM
A good reminder of the importance of security
I came across the following article and wanted to share it.
Take special note of the mention of SQL injection attacks at the end of the article. Out of all the more complex ways one can break into a web site, that one is arguably the easiest to prevent and the fact that even major web sites are still falling victim to this sort of attack is exactly why some of us here on devshed end up being drill sargents about security issues.
It's one thing for some hacker to find a vulnerability in a new version of Apache or PHP itself, but if WE, the developer of the web site cannot guard a client site from an attack which every major programming language for the web including PHP has a solution for then we aren't being the professionals we are being paid to be.
So when a new coder comes here and posts a string of SQL with a $_POST variable embedded in it, don't be surprised if one of us gets a little irritated or even asks where you got the code from if you found it on another site (because my first reflex depending on my mood, is to go to that site, fire up an email and light someone up). We have a number of members here well versed in web security, my advice to new users is to seek those members out and get advice from them on these issues (with a special nod to one member in particular who is very good on this issue).
What happened to Target and the other companies recently hacked have real world consequences. Serous ones.
Comments on this post
January 16th, 2014, 04:45 PM
Great post and very good advice.
You really can't stress this enough: Technically, the problem of SQL injections and cross-site scripting has been solved. We have the tools to eliminate this risk entirely, and it's not difficult at all. The one and only reason why those attacks still happen is because programmers allow them to happen.
So in addition to what Hammer65 already said, my advice for new programmers would be this:
- Get a good understanding of common security risks and solutions.
- Be sceptical. Don't use code from untrustworthy sources. Don't be satisfied with your own code just because “it works”.
- If you're dealing with a potentially dangerous feature (like file uploads), check what other people have to say about this.
- Whenever you have a question, just ask.
January 16th, 2014, 04:49 PM
Ocassionally I've even been chastized for harping on this with the comment "well I just wanted to give a quick example, you can add the security later". Yeah but will they? Why not just use prepared statements right out of the gate for the code example? Doesn't that set a better example? We shouldn't ever hear of another web site being compromised this way.
Originally Posted by Jacques1
Last edited by Hammer65; January 16th, 2014 at 04:52 PM.
January 16th, 2014, 05:28 PM
Yeah, unfortunately, you still have to argue over security sometimes. Or repeat the same warning again and again and again, which is a tiny bit frustrating.
Originally Posted by Hammer65
But I've also seen a lot of positive examples of people who actually fixed their code afterwards. So the effort isn't totally useless.