[dorward]

Their PHP+MySQL tutorial has an SQL injection vulnerability in every example that takes user input. It never mentions SQL injection as a possible problem and it never covers any of the techniques needed to defend against it.

In my book, that's unforgivable and they won't get any slack from me until they fix it.

[bbotond]

Very true. It amazes me that in 2012, the code in 8 out of 10 PHP/MySQL questions on StackOverflow is still vulnerable to SQL injection. Sometimes people post code that is running on real, production web sites that handle credit card data. They even give you the URL. It's super easy to crack any of them - hell, you can see exactly what you have to do in the ugly 500-line monstrosity they posted. Any resource that is dedicated to education and teaches web development should take SQL injection very seriously. There is no excuse for not doing so.

[jiggy2011]

The problem is that these tutorials were written a looong time ago when the default was to have magic quotes switched on which has probably saved thousands of newbie developers apps from being SQL injected. The default is now off.

Of course magic quotes caused problems with excessive escaping in DB fields leading to some developers explicitly de-escaping values before adding them to the DB.

[pretoriusB]

That happens in 99% of PHP+MySQL tutorials out there...

And looking a little closer, even in the most reputable sources, you can found XSS and especially CSRF vulnerabilities aplenty.

People should not get security advice from a beginner's tutorial anyway, even if it covered XSS, it would have tons of other problems.

[bbotond]

But those tutorials should include a warning like "what we teach here is enough for you to build a nice dog house but using the same techniques on a sky scraper will surely lead to disaster" - and then give you resources to educate yourself further.