On April 23, 2017 4:31:42 PM EDT, Simon Slavin <slav...@bigfraud.org> wrote: >There’s been almost no traffic on this list this weekend so I don’t >feel too bad posting something that’s not specifically about SQLite. >But a lot of us use SQLite as a back end for web-facing databases, >called from PHP, and this is about PHP tutorials found on the web. > >ObAcronym: "SQLi" is short for "SQL injection". > ><https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabilities/> > >“Thanks to our framework, we have uncovered over 100 vulnerabilities in >web application code that bear a strong resemblance to vulnerable code >patterns found in popular tutorials. More alarmingly, we have confirmed >that 8 instances of a SQLi vulnerability present in different web >applications are an outcome of code copied from a single vulnerable >tutorial,” they noted. “Our results indicate that there is a >substantial, if not causal, link between insecure tutorials and web >application vulnerabilities.” > >Moral: Web tutorials are for teaching you how a computer language >works. Don’t copy-and-paste them into production code without thinking >through the consequences. If you don’t understand what you’re doing, >hire an experienced programmer. That’s what they’re for. > >Simon. >_______________________________________________ >sqlite-users mailing list >sqlite-users@mailinglists.sqlite.org >http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
How depressing, that people still fail to learn the lessons of SQL injection because others fail to teach them. I'm currently writing a PHP application which uses SQLite, and I am of course paranoid about using prepared statements; I'd love it if we could all get the basics right so that articles warning about less straightforward problems would stand out more. Hopefully that article will reach some of those who need it. Thanks, Simon. -- J. King _______________________________________________ sqlite-users mailing list sqlite-users@mailinglists.sqlite.org http://mailinglists.sqlite.org/cgi-bin/mailman/listinfo/sqlite-users
