A small teaching program - demonstration of principles only
Archive - Originally posted on "The Horse's Mouth" - 2016-02-08 08:22:51 - Graham EllisPutting a program on a public facing web server is like putting a car on the driveway outside your home, then going away on holiday. You had better make sure the car is locked, and that if it's an open-decked truck there's nothing left on the deck. Or you had better make sure that the driveway is secured. And thinking about that security, and putting it into place, is potentially a lot more effort and thought than just parking.
When I'm teaching newcomers to programming, just as if I was teaching a first time driver, I'll help them write their program from frist principles and let them see how it runs. Then I'll demonstrate what can happen when the program's left to the attention of untrained users or malicious ones (like the ones who write 'DROP DATABASE' or NULL or <h1> as their use name) and show them how to batten down the hatches against such mistakes and attacks.
On a course, I can project these early, insecure programs and indeed we can play with them and see the problems - but I'm very wary about posting the source code on line because someone, somewhere will comment on a forum or review me or email me to say the program's insecure to which my answer is "I know read the effing commentary!".
In that spirit - some early PHP examples ... too small to be useful, to valuable as teaching examples to be lost:
A calculation in PHP - [here]
A calculation in PHP with a variable - [here]
A calculation in PHP with a variable suppied by the user - [here] - old style "register globals" and so insecure it no longer works by default if at all!
A calculation in PHP with a variable suppied by the user - [here] - new style and bit more secure - but don't be fooled - still prone to injections!