[HN Gopher] 16/30 Google results for PHP tutorials contain SQL i...
___________________________________________________________________
16/30 Google results for PHP tutorials contain SQL injection
vulnerabilities
Author : phil294
Score : 116 points
Date : 2021-07-25 19:27 UTC (3 hours ago)
(HTM) web link (waritschlager.de)
(TXT) w3m dump (waritschlager.de)
| gregjor wrote:
| I freelance fixing and maintaining legacy web apps, almost always
| PHP.
|
| Anecdotally I see SQL injection vulnerabilities in about half the
| code I look at. It's one type of problem among many other
| problems and vulnerabilities in code written by amateurs and
| often copy/pasted.
|
| PHP programmers can find lots of resources online. Some of those
| are terrible, either very old or written by amateurs excited to
| show how they got something to work.
|
| I have seen the same kind of thing with Java and Python, but the
| popularity of PHP means there's a lot of junk info and examples
| online.
|
| PHP has supported safe SQL and safe HTML for decades, but the
| programmer has to understand the problem and the solution.
| tannhaeuser wrote:
| > _PHP has supported [...] safe HTML for decades, but the
| programmer has to understand the problem and the solution._
|
| That's not good enough for a language advertising as "Hypertext
| Preprocessor" though. PHP's distinguishing feature is that's
| kicked off from SGMLish processing instructions in otherwise
| static HTML, and it has all context available for perfect
| injection-free HTML-aware templating. Eg escaping quotes when
| it's outputting into attributes, escaping "]]>" when outputting
| into CDATA sections, or with the help of a _real_ markup
| processor, suppressing /escaping <script> elements or onclick
| or other event handler attributes where advised through a
| grammar such as an SGML DTD. But it doesn't because it's just
| such a hack job of a language, by the developer's own
| admission.
| gerdesj wrote:
| I run a small IT company and the Windows sysadmin stock answer
| to nearly all problems: C:\Windows\System32>
| sfc /scannow
|
| ... followed by "reinstall your operating system". OK so no
| harm done apart from rather a lot of downtime, assuming you can
| put it back together again. The number of times I see "disable
| your AV" still is frightening.
|
| I have a browser plugin that I discovered thanks to this parish
| called uBlacklist which you can use to try and clean up your
| search results by banning known bad sites from your results.
| social.microsoft.whatever was first ... 8)
|
| I also note an awful lot of Linux related link farms and
| "blogs" with ads and cloned content from other sources have
| surfaced over the last few years. WordPress is another
| quagmire. I could go on but basically, search is very close to
| completely screwed (but not quite.)
| pixl97 wrote:
| Disable your AV is a perfectly cromulent suggestion. It is a
| root kit that operates at the lowest level of your operating
| system, and any issue with it and it will affect every layer
| above it.
|
| Now, if disabling works you should set reasonable exclusions
| and enable the product again.
| Aeolun wrote:
| So I install a rootkit... to save me from rootkits?
| gerdesj wrote:
| Disabling your AV is never a good starter for 10 and is
| often proffered as the canonical fix for a problem. I
| shudder to think how many people have been debagged and
| radished (I'll take your cromulent and raise you really
| odd) as a result of following "sage" advice.
|
| I read the logs and set exclusions until the damn thing
| works. I have briefly disabled the whole
| AV/firewall/browser plugin thing sometimes to double check
| but that is quite rare. When I smile my teeth make a "ping"
| sound and briefly flash white.
| syshum wrote:
| Now Now...
|
| The Sysadmin stock answer to nearly all problems is
| shutdown /r /t 0
|
| If that fails, then sfc /scannow
| cosmodisk wrote:
| From my anecdotal data, a whole lot of tutorials are written by
| 'learn Java in 21 day' stage developers. People are excited,
| want to put their name out there and start churning out
| tutorials on concepts only yesterday they had no clue about.
| Similar situation with many online courses too.
| lixtra wrote:
| The clean code may still have other issues. For example [1] give
| away if a certain email address is registered with the site or
| not.
|
| [1] https://phppot.com/php/user-registration-in-php-with-
| login-f...
| IshKebab wrote:
| Everyone on HN is obsessed with that "vulnerability" without
| considering that: a) almost all sites that try to avoid it fail
| anyway when you try to sign up - "that email is already
| registered" and b) it's really user-hostile for a tiny increase
| in privacy so it's perfectly reasonable to not implement it on
| _most_ sites.
| jffry wrote:
| If I did want to close that hole, is there anything more
| clever than just having a username that isn't an email
| address, and allow more than one account to use the same
| email address?
| ghusbands wrote:
| I don't think people in general want to remember a username
| for every site.
| isbvhodnvemrwvn wrote:
| Just return the usual "please confirm registration by
| clicking a link in the email" - in the e-mail you just
| notify the email owner that someone tried to create a new
| account while another account was already registered for
| this e-mail. This does not disclose anything to anyone
| other than the owner of the e-mail.
| hsbauauvhabzb wrote:
| This. Risk assess whether user enumeration is actually bad,
| the go fix it if you need to.
| NavinF wrote:
| IMO trying to stop user enumeration is a lost cause. People
| with many email addresses and no password manager still need a
| way to figure out which email/username they used on your site.
| If they can't enumerate themselves, you end up with bad
| retention or lots of support tickets.
| Zababa wrote:
| So what's the actual way of doing this in PHP?
| l0b0 wrote:
| I googled for `php mysql email register`. This returns tutorials,
| how-tos, code snippets. Most results include flawed DB
| statements.
|
| Nothing to do with Google itself, Google being vulnerable to SQL
| injection, or completely arbitrary websites being vulnerable.
| phil294 wrote:
| Oh I see what you mean, I rephrased the title a bit. It is
| pretty specific after all
| haolez wrote:
| Programming in PHP using GitHub's Copilot must be exciting :)
| ineedasername wrote:
| In a few years we might regard it the same way as MS Office's
| Clippy:
|
| "It looks like you're trying to create a web app front end! Do
| you need assistance with A) Implementing a dark pattern or B)
| Avoiding the use of dark patterns?"
| CR007 wrote:
| I feel that it actually understand what I'm doing. Is very
| wicked how sometimes copilot nails a line or an entire block
| totally in my context and writing style.
|
| Scary stuff.
| 0x0nyandesu wrote:
| Generally speaking lesson 1 on building queries skips over
| injections and only after the basic premise is explained do you
| go into the details on how to be secure in lesson 2.
| iratewizard wrote:
| Amit Singhal's method for maintaining Google's search business
| unit was its success. Hopefully they realize the ML pipe dream is
| a failure sooner than later.
| iamstupidsimple wrote:
| Care to elaborate on how Amit ran things differently?
| iratewizard wrote:
| Search rules were written by hand and not left to an
| automatic process
| ma2rten wrote:
| This doesn't seem like something that could be fixed by using a
| rule based approach, because it would require actually
| understanding the subject matter.
| dvh wrote:
| People have been warning us about sql injection for more than 2
| decades, it finally start to pay off and then someone in js
| invents div.innerHTML=`template aka glued strings` and everybody
| jumps on it like it's no big deal.
| opheliate wrote:
| I'm not sure what point you're making here? IMO, while JS is
| certainly more bloated than ever as a result, the current
| popularity of frameworks like React, Vue, etc. makes it much
| less likely that a beginner will introduce XSS than 10 years
| ago.
| ineedasername wrote:
| I don't blame google for this. I blame crappy tutorials that
| either gloss over important details or are written by people who
| don't know them in the first place. If Google could develop a
| search algorithm that selected results for quality code, they'd
| have an entirely separate product they could sell, perhaps as
| part of an "AI Cloud" assisted programming environment.
| tester756 wrote:
| People don't use ORMs there?
|
| Those are great tools and you can always use raw sql in
| exceptional cases
| tomohawk wrote:
| It would seem that misinformation such as this would be much more
| in the wheelhouse of companies such as Google as they consider
| censoring content and twiddling search results. They don't employ
| virologists, or other experts, but they regularly label
| information that they have little inside technical expertise on
| as misinformation.
|
| With so much obvious misinformation on stack exchange, why is
| Google so blase about directing searchers to the site?
| bronzeage wrote:
| Because Google doesn't label misinformation because Google
| really wants to, but because it's pushed by the government
| under the guise of "just a private company".
|
| It's supposed to be unconstitutional to have your government
| censoring things, but covid-19 is the catch all excuse for any
| authoritarian violation these days.
| stabbles wrote:
| Looking forward to statistics on vulnerabilities in Copilot
| suggestions
| paul_f wrote:
| I don't have a problem with this. If I am trying to figure out
| how to do something, I'd rather the help be focused on the thing,
| and not confuse my by adding the mysqli_real_escape_string stuff.
| Yes, I know about little bobby tables and all that. Same with
| trying to see an example of a php form. I don't need the
| csrftoken, I already know to do that. Yes, it might help a
| novice, but don't make everything more complicated just for
| beginners benefit
| TeMPOraL wrote:
| > _If I am trying to figure out how to do something, I 'd
| rather the help be focused on the thing, and not confuse my by
| adding the mysqli_real_escape_string stuff._
|
| In this case, the help is fundamentally _wrong_. Other than
| "what is an example of a dumb programming mistake?", there
| aren't really questions to which a valid answer involves
| concatenating arbitrary strings and executing the result as an
| SQL command.
|
| If your question is, "how do I execute an SQL command?", there
| are many better examples to use. If the question is, "how do I
| store user-supplied data in the database?", or "how do I query
| using user-supplied values", then the answer should not give
| you what amounts to an accidentally working hack.
|
| SQL is _a language of its own_. It has a syntax and a grammar.
| When generating SQL from PHP (or any other language), you 're
| switching languages - there must be a translation step
| involved. Any answer that doesn't bring this up explicitly is
| just _wrong_.
| mgkimsal wrote:
| > "... and not confuse my by adding the
| mysqli_real_escape_string stuff... CSRF token ...I already know
| to do that..."
|
| If you're already that good, how does seeing a CSRF token in an
| answer actually impact you? Does it prevent you from
| copy/pasting someone's "example" code?
| ChuckMcM wrote:
| Pretty much. The best way to insert supply chain exploits is to
| embed them in a stack exchange answer to a beginner's question.
|
| This isn't new, we've always had programmers who programmed by
| "recipe" rather than first principles, and DRY paints that as a
| feature, but it underlies a lot of pain and cost over the years.
|
| To give some context, I inherited some kernel code when I worked
| in the Systems Group at Sun Microsystems in the 80's that was
| written by a mathematician who had become a programmer because
| the money was in programming, not applied math. They had cut and
| pasted code they didn't understand in order to achieve the result
| they wanted out of the code they were "writing." When I inherited
| it I read through it and found a couple of dozen ways the code
| would panic the kernel[1]. Once fixing those obvious issues, it
| became clear that the original owner of the code didn't really
| understand what computation did. They had an idea, and
| mathematically they could show that it was correct, but literally
| no ability to express that algorithmically.
|
| This is not a "new" problem but it is an important one that
| managers of software engineers need to watch for.
|
| [1] At the time the only difference between "kernel" programmers
| and "application" programmers was that kernel programmers
| recognized that unsafe code crashed the whole system, not just
| the application. So they tended to be cultivated from paranoid
| programmers.
| kadoban wrote:
| In PHP's case, Stack Exchange is not necessary to get SQL
| injected tutorials. The official docs for _years_, if not
| decades, included them. The docs for how you were supposed to
| do SQL were just full of the antipattern of building queries by
| string formatting and concatenation. I wouldn't be surprised if
| some dark corner of the docs still had those available.
| nine_k wrote:
| "Else you are not getting the authentic php4 experience!" /s
|
| PHP has been in a poor shape for many, many years. It started
| shaping up in last rather few years, and there is a large
| backlog to tackle, colossal if you include all the numerous
| tutorials and Q&As from getting copy-pasted since 2000.
| mschuster91 wrote:
| The language never was the problem, not since PHP 5.1 at
| least (which introduced PDO) and that is 16 years ago.
|
| The problem always was the ecosystem that took _decades_ to
| update and the fact that Google 's search is algorithm-
| ranked and not supposed to be curated by humans, which
| would have kicked out at least the most horribly insecure
| stuff.
| treeman79 wrote:
| Thought the best way was to develop a basic and easy library.
| Then upload a malicious binary that doesn't match the source.
|
| There was a really good post on how to do it and evade
| detection.
| pvg wrote:
| _The best way to insert supply chain exploits is to embed them
| in a stack exchange answer to a beginner 's question._
|
| None of these answers seem to come from SE so this might be
| harder than you might assume.
| latchkey wrote:
| > _The best way to insert supply chain exploits is to embed
| them in a stack exchange answer to a beginner 's question._
|
| I'd love to see a concrete example of this happening in this
| way!
|
| The rest of your story just describes 'smart, but bad jr.
| programmer' and doesn't really discuss the exploit issue.
| laurent123456 wrote:
| 50% is also what I had found on Stackoverflow (2018) -
| https://laurent22.github.io/so-injections/
| cmeacham98 wrote:
| The top code snippet in the "latest vulnerabilities" section
| (as of the time of writing) is: $query =
| "SELECT * FROM wp_misure WHERE Id =
| '".mysqli_real_escape_string($link, $_GET['id'])."'";
|
| This is not vulnerable to SQLi unless I misremember how
| real_escape_string works.
| laurent123456 wrote:
| Yes it's not 100% accurate but still gives a good
| approximation. See there for more info
| https://github.com/laurent22/so-sql-injections/issues
___________________________________________________________________
(page generated 2021-07-25 23:00 UTC)