Google results for PHP tutorials contain SQL injection vulnerabilities

Pretty much. The best way to insert supply chain exploits is to embed them in a stack exchange answer to a beginner&#x27;s question.<p>This isn&#x27;t new, we&#x27;ve always had programmers who programmed by &quot;recipe&quot; rather than first principles, and DRY paints that as a feature, but it underlies a lot of pain and cost over the years.<p>To give some context, I inherited some kernel code when I worked in the Systems Group at Sun Microsystems in the 80&#x27;s that was written by a mathematician who had become a programmer because the money was in programming, not applied math. They had cut and pasted code they didn&#x27;t understand in order to achieve the result they wanted out of the code they were &quot;writing.&quot; When I inherited it I read through it and found a couple of dozen ways the code would panic the kernel[1]. Once fixing those obvious issues, it became clear that the original owner of the code didn&#x27;t really understand what computation did. They had an idea, and mathematically they could show that it was correct, but literally no ability to express that algorithmically.<p>This is not a &quot;new&quot; problem but it is an important one that managers of software engineers need to watch for.<p>[1] At the time the only difference between &quot;kernel&quot; programmers and &quot;application&quot; programmers was that kernel programmers recognized that unsafe code crashed the whole system, not just the application. So they tended to be cultivated from paranoid programmers.

I freelance fixing and maintaining legacy web apps, almost always PHP.<p>Anecdotally I see SQL injection vulnerabilities in about half the code I look at. It’s one type of problem among many other problems and vulnerabilities in code written by amateurs and often copy&#x2F;pasted.<p>PHP programmers can find lots of resources online. Some of those are terrible, either very old or written by amateurs excited to show how they got something to work.<p>I have seen the same kind of thing with Java and Python, but the popularity of PHP means there’s a lot of junk info and examples online.<p>PHP has supported safe SQL and safe HTML for decades, but the programmer has to understand the problem and the solution.

Some time ago I found this video series on YouTube about how to build a PHP application from scratch. Ten hours worth of XSS, CSRF, SQL injection, badly coded authentication, you name it. When confronted, the instructor said that he did not want to confuse the beginners with all of that security stuff. I just thought &quot;ok&quot; and moved on.<p>Now I went back to this guy&#x27;s YouTube channel and saw that half a year later he finally did upload a bonus episode on how to mitigate SQL injections. One person in the comment section actually thanked him for the much needed video because their site was getting hacked. It is pretty hilarious to see this unfold but I do feel bad for the ~10k people who watched his videos.

I still feel bad about the image of people towards PHP, but given the amount of bad tutorials and packages that are outdated out there I understand that most enterprise &#x2F; startup wants to avoid having to code in PHP again.<p>For the past couple of years I have been working with laravel in a small company, and I really enjoyed it. The environment that it provides honestly is amazing. Documentation is super easy to read, laracast is amazing to bootstrap your knowledge in couple of weeks, and community is huge that you can find almost anything already built by them.<p>However its hard to find any big companies here that uses PHP, jobs popping up is mostly python, java and c#, thus sadly I have to leave php and learn java &#x2F; python for the new big tech job (also for my own future). Its not that java &#x2F; python community is bad, but I&#x27;ll surely miss the laravel ecosystem.

I don&#x27;t blame google for this. I blame crappy tutorials that either gloss over important details or are written by people who don&#x27;t know them in the first place. If Google could develop a search algorithm that selected results for quality code, they&#x27;d have an entirely separate product they could sell, perhaps as part of an &quot;AI Cloud&quot; assisted programming environment.

Programming in PHP using GitHub&#x27;s Copilot must be exciting :)

This already was a problem ten, fifteen years ago, and I see it hasn&#x27;t changed. IIRC I wrote a blog post about it back when (I get spurts of inspiration, then some time later I delete the whole thing because I&#x27;m embarrassed about stuff I write, including HN comments).<p>There was a big &quot;grassroots&quot; push some years ago about pusing W3Schools docs out of the top Google results in favor of MDN; the same should be done with bad PHP code &#x2F; examples. Because in practice, 90% of code is copy &#x2F; pasted and adjusted.<p>There&#x27;s just no big player behind PHP though, a party that wants to professionalize the language and more importantly its community. If there were, they would push for more authoritative tutorials and documentation. As it stands, the PHP docs are fine but are lacking information about SQL injection, and it&#x27;s 10+ year old comments to that documentation that is often more valuable than the docs itself.<p>PHP is still one of the top languages out there but it has so much more potential.

The clean code may still have other issues. For example [1] give away if a certain email address is registered with the site or not.<p>[1] <a href="https:&#x2F;&#x2F;phppot.com&#x2F;php&#x2F;user-registration-in-php-with-login-form-with-mysql-and-code-download&#x2F;" rel="nofollow">https:&#x2F;&#x2F;phppot.com&#x2F;php&#x2F;user-registration-in-php-with-login-f...</a>

I work on a major mobile application. We have rigorous interviews and pay well. We use a much trendier stack than PHP. Still, the number of my colleagues who can fathom that a request to our public API might come from elsewhere than our first-party client is… maybe one in a hundred.<p>Don’t think this is just a PHP problem. All across the industry, people think of the OWASP Top 10 as some hyper-nerd shit that they don’t have to care about, and are indignant that you’d even mention it in design review.

Should tutorials be expected to teach people sufficient security? Should code snippets be production-ready to put on the Internet for the general public? I tend to think not. Is this just me?<p>So here&#x27;s a partial list of issues you&#x27;d need to deal with:<p>- sanitizing input<p>- Escaping output<p>- SQL injection<p>- HTML injection<p>- XSS<p>- CSRF<p>- CORS<p>- Clickjacking<p>- DDoS and other resource exhaustion attacks<p>- Various timing attacks (eg password hashing)<p>- How to store passwords<p>- Depending on language, buffer overflows<p>That&#x27;s... a lot. You can take this even further: you should assume you&#x27;re going to get compromised at some point. What are you going to do to detect a breach? Or an active attempt to find a breach? What&#x27;s your strategy for handling a breach?<p>Here&#x27;s an analogy: we can tell you how to treat Poison Ivy without having to add a disclaimer that you&#x27;re not qualified to be an attending dermatologist.

25 years of plentiful SQL injections and XSS, and 25 years of posters rushing to PHP’s defense with variants of “you could do this in any language. <i>All</i> languages are potentially insecure.”<p>At a certain point it turns from tragedy to farce.

Great article. How should the community fix this problem with bad and dangerous tutorials?<p>I don’t think fixing Google’s index is enough and probably not you something we can rely on.(there are other search engines)<p>One problem could be that official PHP documentation only includes examples for using a specific function, not an entire use case from start to end. That would mean that examples would also include lots of HTML, CSS, SQL and JavaScript. But then of course it will no longer be a PHP documentation.<p>Writing correct up to date examples is very time consuming. Sites like w3schools tries to do this, w3schools was bad in the past but has become better, but it is also a commercial site so nothing you don’t want to contribute to with your own examples. At the same time it is understandable that w3schools wants something in return.<p>Another idea could be to contact site owners of these tutorials, but then they probably want the correct fix. This can also be time consuming.<p>Maybe an index of approved tutorials voted by the community and then make sure this index gets high on Google ranking.

I’ve fixed production bugs by removing code copied verbatim from the PHP manual. It looked like the clueless previous developer had copy pasted code from all over the place until the code sort of did what it was supposed to do. The code snippets by itself were ok, the composition created numerous bugs.

The worst thing about PHP is that the majority of people who visit my website are script kiddies from the third world pen testing for PHP vulnerabilities.

<p><pre><code> I googled for `php mysql email register`. This returns tutorials, how-tos, code snippets. Most results include flawed DB statements. </code></pre> Nothing to do with Google itself, Google being vulnerable to SQL injection, or completely arbitrary websites being vulnerable.

While the results are worrying, and not entirely surprising... the search query made me wonder how many different queries the author tried until getting a sufficiently bad result.<p>I wonder if the more obvious &#x27;PHP MySQL Tutorial&#x27; would also return this. I don&#x27;t think that this changes the general point of the article, there is a _ton_ of bad information out there. I did the same with &quot;Node.js JWT&quot; and the results were even worse.

The first &quot;correct&quot; example uses the deprecated function mysql_real_escape_string. Are we still not considering every form of escaping insecure?<p><a href="https:&#x2F;&#x2F;www.php.net&#x2F;manual&#x2F;en&#x2F;function.mysql-real-escape-string.php" rel="nofollow">https:&#x2F;&#x2F;www.php.net&#x2F;manual&#x2F;en&#x2F;function.mysql-real-escape-str...</a>

Is it just me or does every post on HN about PHP associated with some negative idea turn into an unmoderated flame war?

I&#x27;m pretty sure that there is still quite some bad code out there that I posted to code-snippet websites when I was ~13 :&#x2F;<p>So here&#x27;s some advice I wish someone had given me back then:<p>Please try to at least read and understand OWASP top ten security risks¹ before writing applications that anyone actually uses. Also please be aware that you can write insecure code in any general purpose language. Most of the bad PHP code is around because it was a popular language with hobbyists, similiar to Javascript and Python today. Languages might be better (or worse) in certain aspects but they still can&#x27;t protect you from bugs in your programs logic. Only diligent planning, understanding of best practises and proper communication can help prevent those.<p>¹ <a href="https:&#x2F;&#x2F;owasp.org&#x2F;www-project-top-ten&#x2F;" rel="nofollow">https:&#x2F;&#x2F;owasp.org&#x2F;www-project-top-ten&#x2F;</a>

In my work, when I raised the design&#x2F;code will expose serious security implications, Architects&#x2F;seniors looked at me like I am a freak.<p>Same person always bragged how important is security and how he&#x2F;she is good at it. The management ate it. It&#x27;s only when real money are lost and the C-Suit want heads to roll then maybe Mid-Low management will start take my words seriously...for a few months.<p>There&#x27;s just no easy way to verify the security of an app. Being security aware and try to make the code secure will cost extra time and make you a diva.<p>Right now I simply refuse allow those madness infect my code and create clear paper trails, so I can keep my code&#x2F;job rather sane in the asylum.

50% is also what I had found on Stackoverflow (2018) - <a href="https:&#x2F;&#x2F;laurent22.github.io&#x2F;so-injections&#x2F;" rel="nofollow">https:&#x2F;&#x2F;laurent22.github.io&#x2F;so-injections&#x2F;</a>

Looking forward to statistics on vulnerabilities in Copilot suggestions

Generally speaking lesson 1 on building queries skips over injections and only after the basic premise is explained do you go into the details on how to be secure in lesson 2.

I&#x27;m not surprised, plenty of tutorial writers (totally wrongly imo) want to write the simplest example they can cobble together under the guise of &#x27;making it easy for people to understand&#x27;. There&#x27;s no excuse for avoiding SQL escaping and using parameterised SQL and if it takes a bit longer for learners to pick it up then that&#x27;s just the cost of learning something new.<p>I really REALLY can&#x27;t stand it.

What should I say? Why those people think they need to write a tutorial? After all those &quot;AI&quot; GS can&#x27;t figure out which one is good content and which one is trying to sell. Web has become a sad place. Where morons can have a voice and which are presented to others as good &quot;content&quot;. Much of this would not continue to exist if there was no money to make.

I worked with different teams at Google that build tutorials. The hard part of this is not creating them, but maintenance. Most of the teams move to a new product and there is no incentive in updating them, specially for security. Most of the updates have to do with versioning and compatibility for multiple components such as Db versions&#x2F;GKE, SdK etc.

We will create a signup system that allows users to create a new account to the system. Our first step is to create a HTML registration form. The form is pretty simple to create. It only asks for a name, email, password, and confirm password. Email addresses will be unique for every user. Multiple accounts for the same email address are not allowed.

I&#x27;m not a fan of PHP, but I remember it having some lightweight, built in API to secure SQL queries. On the other hand, using a good ORM with a mature web framework removes most common vulnerabilities, and you don&#x27;t have to worry as much about your junior peers creating security holes.

Google has an internal &quot;style guide&quot; that forbids any new projects in PHP because they consider it impossible to write secure applications in this language.<p>Of course the end result is probably they they have less PHP expertise than you might hope. But these are really sad failures.

Not related to this specific case or coding but about bad practices in documentation in general in my previous job I had huge headaches with some bad practices described in Microsoft&#x27;s Active Directory training material. That company forest domain ended in .local because the AD admin was a MS MVP through and through.<p><a href="https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;.local#Microsoft_recommendations" rel="nofollow">https:&#x2F;&#x2F;en.wikipedia.org&#x2F;wiki&#x2F;.local#Microsoft_recommendatio...</a><p>However retail stores were almost entirely composed of Linux machines except for the manager&#x27;s desktop. The corporate software used in these Linux machines would always pull samba which in turn pulled avahi. As soon as the software was installed post imaging because of licensing requirements connectivity with central servers was interrupted and the person installing it (which was always a different person because the stores were spread through the country) will often scratch their head, specially those who don&#x27;t bother to read notes.

Let me show you how to do a mysql query for a web app in nodejs.<p><pre><code> const express = require(&#x27;express&#x27;); const app = express(); const mysql = require(&#x27;mysql&#x27;); app.get(&#x27;&#x2F;&#x27;, (req, res) =&gt; { const connection = mysql.createConnection({ host: &#x27;localhost&#x27;, user: &#x27;me&#x27;, password: &#x27;secret&#x27;, database: &#x27;my_db&#x27; }); connection.connect(); connection.query( `SELECT a FROM b WHERE x = ${req.query.y}`, (err, results) =&gt; { res.send(results[0]?.a); connection.end(); }); }); app.listen(1234); </code></pre> Now this will be a google result <i>somewhere</i> for how to do a query that contains an SQL injection vulnerability.<p>I fail to see the point of this article, as pretty much anyone who enters into web programming understands that there is something called an SQL injection vulnerability that they need to be aware of.

&gt; Several of these results were, simply put, SEO-optimized baloney.<p>My experience in the past couple of years as well, and not just for PHP. I wonder if anyone has looked into tutorial results with and without privacy controls to see if the quality is meaningfully different.

I don&#x27;t know, I feel like people love to pile on PHP nowadays. Do people actually think those who are learning PHP by searching Google for tutorials are going to be creating production ready applications that would be so critical that a simple SQL injection attack would be so catastrophic to? There will be a million other ways mistakes can be made before anything is up and running with actual users. Better a simple attack to wipe out their db early on instead of a more nuanced bug somewhere down the road that is so hard to catch because they&#x27;re trying to figure out what stateless composition of a single purpose component means. At least PHP makes it simple to write some code and start thinking about what you want to do instead of total BS React style esoteric f*ckry.<p>Let the poor newbies learn to code by seeing the simple beauty before drowning them in security nightmare scenarios.

People have been warning us about sql injection for more than 2 decades, it finally start to pay off and then someone in js invents div.innerHTML=`template aka glued strings` and everybody jumps on it like it&#x27;s no big deal.

How do other search engine results compare in this regard.

I checked the first page of google results for &quot;php sql login&quot; in german and all examples are talking about escaping or prepared statements.

Good job, you found how the real world works. I&#x27;m sure there&#x27;s no code from any other language with vulnerabilities in it posted online.

&gt; You can&#x27;t just blindly copy paste code from the internet and expect it to be perfectly safe and sound.<p>What a surprise!

People don&#x27;t use ORMs there?<p>Those are great tools and you can always use raw sql in exceptional cases

This just in: &quot;Search results are the result of searching&quot;

CoPilot but for detecting horrible code &amp; generating regexes.

this is the PHP bashing thread for this week, enoy ;-)

So what&#x27;s the actual way of doing this in PHP?

Google is a search engine, not a code instructor.

Wow! That low a ratio?

Amit Singhal&#x27;s method for maintaining Google&#x27;s search business unit was its success. Hopefully they realize the ML pipe dream is a failure sooner than later.

It would seem that misinformation such as this would be much more in the wheelhouse of companies such as Google as they consider censoring content and twiddling search results. They don&#x27;t employ virologists, or other experts, but they regularly label information that they have little inside technical expertise on as misinformation.<p>With so much obvious misinformation on stack exchange, why is Google so blase about directing searchers to the site?

I don&#x27;t have a problem with this. If I am trying to figure out how to do something, I&#x27;d rather the help be focused on the thing, and not confuse my by adding the mysqli_real_escape_string stuff. Yes, I know about little bobby tables and all that. Same with trying to see an example of a php form. I don&#x27;t need the csrftoken, I already know to do that. Yes, it might help a novice, but don&#x27;t make everything more complicated just for beginners benefit