RustProof Labs: blogging for education (logo)

Security Matters and is Taught Poorly

By Ryan Lambert -- Published April 12, 2014

I don't think this will surprise you, but data security is a huge problem and it is not going to go away. What's the biggest security concern for an online system? Injection. OWASP's Top 10 list still includes SQL Injection as the most common issue. If we all know about the problem, why is it still a problem? We have the knowledge of the problem, we have the solution for the problem, and the solution isn't really that tricky.... so why is it a problem still?

Well, today I found a post on a fairly popular tech site from October 2013 that looked intriguing. As I read, I only became more appalled with every paragraph and it's obvious why we still have people creating insecure applications.

Do NOT Promote Outdated Products

One of the first things that made me dislike the post was this statement:

... make sure your webserver or host provides you with at least PHP 5.2 ...

In October 2013 when that post was written, PHP 5.2 was almost 3 years beyond end of life. It should not still be promoted as "use at least this version." I can understand the need to maintain legacy applications but if you're maintaining an application on PHP 5.2, you should be working on upgrading to a supported version of PHP. PHP 5.3 is already in End of Life support so should not be encouraged for new development either.

Insecure Examples Help No One

Further down in the same post was an example of inserting data that should never be used. (Please read that again - this next example should NEVER be used!)

$sql="INSERT INTO  tags (username, latitude, longitude, country,destintyudid,points) 
    VALUES ('$_POST[sender]','$_POST[latitude]','$_POST[longitude]',
    '$_POST[country]','$_POST[receiver]','$_POST[points]')";

Do you see the problem? If you noticed that they're taking the data directly from the global $_POST variable and inserting the values into the database without sanitizing the data first, you'd be correct. Instead you should validate your form inputs and use PDO or some other method of parametrization to secure your application. The example below shows an example that will help secure you from most SQL Injection attacks.

$sql = $db->prepare("INSERT INTO tags (username, latitude, longitude, country,destintyudid,points)
    VALUES (:sender, :latitude, :longitude, :country, :receiver, :points
    ");
$sql->execute(array('sender' => $sender, 'latitude' => $latitude, 'longitude' => $longitude,
    'country' => $country, 'destinyudid' => $destinyudid, 'points' => $points ));

Security is Everyone's Problem

Yes, it takes a bit more code, and you have to explain a little more to connect all the pieces but that's how real life works. If you want to be a programmer you have to be willing to invest the time to do it right to protect your data, and your users' data! If you want to write a tutorial to show people how to program something, you must follow the same principles and show secure examples otherwise the bad practices continue propagating.

Exploits of a
Mom

Final Thoughts

I'll be the first to admit that my code has bugs, and has security issues as well. I'd be delusional to think otherwise because I'm human and make mistakes, but I always encourage people to let me know if they know of a better or more secure way to accomplish something. The news of the Heartbleed Bug is a not-so-subtle reminder that we have to take security seriously. So please stop teaching people the wrong way to do things, we have enough problems to deal with as it is!

I don't want a lazy fireman to be the one responsible for saving the lives of my loved ones, and I don't want a lazy programmer who doesn't care about security responsible for creating anything connected to the internet.

By Ryan Lambert
Published April 12, 2014
Last Updated April 12, 2014