[ale] Be careful where you learn to code

DJ-Pfulio DJPfulio at jdpfu.com
Sat Apr 22 11:02:41 EDT 2017


On 04/21/2017 10:40 AM, Alex Carver wrote:
> On 2017-04-21 07:19, DJ-Pfulio wrote:
>> Be careful where you learn to code. Not all tutorials are equal,
>> especially for web-app scripted languages.
>>
>> https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabilities/
> 
> That MySQL example on the page is just awful.  I've seen some written
> this way but with large warning boxes below the example that explicitly
> say this method is insecure and only intended to show a process flow
> (checking against a count of users).
> 
> Doesn't matter the language, the basic concept of sanitizing user input
> should be universal whether by using sanitizing functions, stored
> procedures for DBs, casting or anything else.
>  

And never trust clients. Sanitizing all input to the server is
mandatory. Anyone can make an alternate client and send whatever data
they like.  White-hat security people do this all the time, and we've
heard about people ordering $500 in stuff for $1. The server "trusted"
the client's price. Foolish. NEVER trust the client.  This applies 1000x
more on smartphone apps. I've watched people hack some backend servers a
few times for well-known smartphone apps - like add phony gold to their
characters. There are tools to modify smartphone apps too.



More information about the Ale mailing list