While we are at it.. XSS search:
<a href="https://github.com/search?q=extension%3Aphp+%3C%3F%3D%24_GET&type=Code&ref=searchresults" rel="nofollow">https://github.com/search?q=extension%3Aphp+%3C%3F%3D%24_GET...</a>
Heh, cute. This means Github could probably do some automated means of informing these people that their code is insecure and would be a danger to themselves and their users. I'm not sure if they should, but it's interesting that they could.
This is a potentially great idea. You could make your build process include submitting your code to a search engine like this (perhaps in some obfuscated manner) and making illegal patterns fail if not manually "approved". Just because the halting problem exists doesn't mean there's not a low hanging fruit in approaching it.
This isn't a search for SQL injection, its a search for a couple things that you often find in older PHP code that is generally hacked together and likely to have SQL injection vulnerabilities for historical and cultural reasons. However it's perfectly easy to avoid SQL injection even using these things.<p><pre><code> $id = mysql_real_escape_string($_GET['id']);
$res = mysql_query("SELECT foo FROM bar WHERE id='$id'");
</code></pre>
That may be ugly, but it's bulletproof regarding injection.
I don't know much about PHP but I happened to rewrite some old forms a couple of years ago. The original author had relied on a technique called "magic quotes" (<a href="http://php.net/manual/en/security.magicquotes.php" rel="nofollow">http://php.net/manual/en/security.magicquotes.php</a>) which automatically sanitized user input. When we upgraded our version of PHP "magic quotes" had been deprecated and dropped.<p>It would be interesting to know if some of these developers are relying on "magic quotes" or something similar... and also to know how large share of the total number of projects these projects represent.
Looking around I found a simple CMS sold to small online stores. Through their links you can find a listing of their customers (people who use their CMS). Problem is the CMS is open to SQL injection everywhere. If a script kiddie found this info they could take down a lot of online stores. Not good.
Nice example, but not all are insecure. For example, the second one here is:<p><pre><code> $result = mysql_query('DELETE FROM saves WHERE id = '.(int)$_GET['delete']);</code></pre>
I would like to say i'm surprised, but I'm not. PHP makes this easier by not even supporting parameter binding in the older, original mysql binding, so it's more prevalent.<p>That said, I'm sure a slight tweak to the search would find a lot in other languages as well.
Sort the results by "last indexed" and see that people are doing it right now!<p><a href="https://github.com/search?q=extension%3Aphp+mysql_query+%24_GET&type=Code&s=indexed" rel="nofollow">https://github.com/search?q=extension%3Aphp+mysql_query+%24_...</a>
There is a <i>huge</i> need in the space for a well marketed quality assurance contractor who can find problems like this and fix them.<p>"We found these issues, and we can fix them all. Pay us for finding them or pay us some more for fixing them, too." sort of thing.<p>Why don't you see QA shops popping up like this?
I guess people would pay for a service that could identify 90% of all security issues with an online service by going through source code and available routes. Anything that is available today?
More comprehensive search for bugs: <a href="https://github.com/search?q=extension%3Aphp&type=Code&ref=searchresults" rel="nofollow">https://github.com/search?q=extension%3Aphp&type=Code...</a>
And for examples not limited to github <a href="http://searchcode.com/?q=mysql_query%20%24_GET%20lang%3APHP" rel="nofollow">http://searchcode.com/?q=mysql_query%20%24_GET%20lang%3APHP</a>