Hacker News new | ask | show | jobs
by JimDabell 782 days ago
Not an SQL injection, but I opened Google in a private browsing window, searched for “php mysql tutorial”, and it brought me to the W3Schools tutorial, which has multiple other vulnerabilities relating to how PHP just dumps its output into HTML unescaped without a second thought. At a glance, I see obvious XSS and open redirect vulnerabilities.

https://www.w3schools.com/php/php_mysql_select.asp
1 comments
cess11 782 days ago
W3Schools being consistently shit for decades doesn't really reflect badly on PHP specifically.
link
JimDabell 782 days ago
It’s the top hit for “PHP MySQL tutorial”. This is what PHP newbies are learning from.

The same tutorial with Django wouldn’t have the same problem because Django auto-escapes strings you dump into HTML. These vulnerabilities only exist in this tutorial because PHP treats its output as HTML by default not text, so you need to put in extra effort to be secure.

link
cess11 782 days ago
Django is a framework. If you want to compare against it you'd look at Laravel tutorials.
link
JimDabell 782 days ago
It’s how people write code for the web with Python. Substitute Flask if you like.

People who are new to PHP and want to learn how to use MySQL will search for “PHP MySQL tutorial” and they will find insecure garbage.

The fact that you can find good tutorials does not negate the fact that people do find terrible ones.

link
cess11 782 days ago
And that never happens with Python? No one has ever published garbage articles about it?
link
JimDabell 782 days ago
That are the top hit on Google for a common beginner query and contain multiple vulnerabilities caused by a flaw unique to the language?

And we aren’t talking about an article, we’re talking about a tutorial. There’s a very big difference between the two, why are you switching? Tutorials are obviously vastly more important to beginners.

Let me remind you of the context:

> > Mixing server side and front end code is bad news. I think following many PHP-MySql tutorials will result in SQL injection vulnerabilities. Not good.

> i think you'd have to go back at least a decade to find tutorials that bad

This is something that is harming people learning PHP today, not the distant past.

link