11 Replies - 6748 Views - Last Post: 04 May 2014 - 05:21 AM

#1 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6109
  • View blog
  • Posts: 23,666
  • Joined: 23-August 08

You're DOING IT WRONG!

Posted 05 August 2013 - 05:55 AM

The PHP Twitter world "exploded" today with a tweet from Michelangelo van Dam (@DragonBe): Tweet "thread" here, in which he outs all the developers on GitHub using not only the deprecated mysql_* functions, but directly using unescaped input from the url via GET. The results of his search of GitHub for this deadly combo? "We've found 86,481 code results".

This is pathetic. Check out the thread for the input of a number of well-known PHP developers as they attempt to come to grips with fixing this grievous result.

Is This A Good Question/Topic? 3
  • +

Replies To: You're DOING IT WRONG!

#2 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3730
  • View blog
  • Posts: 6,017
  • Joined: 08-June 10

Re: You're DOING IT WRONG!

Posted 05 August 2013 - 06:09 AM

Hard to believe there are so many. It's such an obvious security risk, I could never quite figure out how people don't manage to see it. The PHP parser should really start throwing parse errors when people do that.

The search for eval uses he links to later in that Twitter thread is also quite scary. How the hell does this look like a good idea?!
if($_POST['something']&&(isset($_GET['something_else']))
{
	eval($_POST['something']);
	shell_exec($_GET['something_else']);
}


Was This Post Helpful? 2
  • +
  • -

#3 andrewsw  Icon User is online

  • It's just been revoked!
  • member icon

Reputation: 3823
  • View blog
  • Posts: 13,550
  • Joined: 12-December 12

Re: You're DOING IT WRONG!

Posted 05 August 2013 - 06:20 AM

Most of our PHP Tutorials use the mysql library. If not deleted, they should at least carry the DEPRECATED notice at the top.

But we know about the use of this library. If we look through recent threads I wonder what percentage of these are still using it? I'm too lazy to count but I wouldn't be surprised if it is 70%.

(There continue to be font and center tags, and align attributes, appearing in the HTML/CSS forum.)

This post has been edited by andrewsw: 05 August 2013 - 06:28 AM

Was This Post Helpful? 0
  • +
  • -

#4 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5395
  • View blog
  • Posts: 27,389
  • Joined: 10-May 07

Re: You're DOING IT WRONG!

Posted 05 August 2013 - 06:45 AM

1 of those is likely mine, I put an old project out there, & have not touched it since. The live site for the project is not even online any longer.
Was This Post Helpful? 0
  • +
  • -

#5 JackOfAllTrades  Icon User is offline

  • Saucy!
  • member icon

Reputation: 6109
  • View blog
  • Posts: 23,666
  • Joined: 23-August 08

Re: You're DOING IT WRONG!

Posted 05 August 2013 - 07:12 AM

View PostAtli, on 05 August 2013 - 09:09 AM, said:

Hard to believe there are so many. It's such an obvious security risk, I could never quite figure out how people don't manage to see it. The PHP parser should really start throwing parse errors when people do that.

The search for eval uses he links to later in that Twitter thread is also quite scary. How the hell does this look like a good idea?!
if($_POST['something']&&(isset($_GET['something_else']))
{
	eval($_POST['something']);
	shell_exec($_GET['something_else']);
}



O_O

I need to go back and continue reading after work.

This was a classic too.

Quote

mysql_query( ... $_REQUEST ... ) needs to throw a friggin' E_GET_THE_FUCK_AWAY_FROM_THE_KEYBOARD_YOU_IDIOT.

Was This Post Helpful? 0
  • +
  • -

#6 no2pencil  Icon User is offline

  • Admiral Fancy Pants
  • member icon

Reputation: 5395
  • View blog
  • Posts: 27,389
  • Joined: 10-May 07

Re: You're DOING IT WRONG!

Posted 05 August 2013 - 07:22 AM

Oh wait, I may have mispoke. I don't read from the $_GET array...

What will be really funny is if that count gets larger rather than smaller :P
Was This Post Helpful? 0
  • +
  • -

#7 creativecoding  Icon User is offline

  • Hash != Encryption
  • member icon


Reputation: 928
  • View blog
  • Posts: 3,212
  • Joined: 19-January 10

Re: You're DOING IT WRONG!

Posted 05 August 2013 - 02:45 PM

There's also a lot of false positives in there. Type checking and casting eliminates a whole lot of risk. I think the bigger part here is the wide use of mysql_*.
Was This Post Helpful? 0
  • +
  • -

#8 graverivas  Icon User is offline

  • New D.I.C Head

Reputation: 1
  • View blog
  • Posts: 3
  • Joined: 16-August 13

Re: You're DOING IT WRONG!

Posted 16 August 2013 - 01:14 AM

We can learn from these issues of other developers. This will make us a better developer in the future by limiting or avoid these issues.
Was This Post Helpful? 0
  • +
  • -

#9 cokacola  Icon User is offline

  • D.I.C Head
  • member icon

Reputation: 5
  • View blog
  • Posts: 64
  • Joined: 23-July 10

Re: You're DOING IT WRONG!

Posted 03 March 2014 - 09:11 AM

Well that's a lot of bad code!
Nothing hurts my eyes more then using mysql_* functions to insert _GET or _POST variables directly into the database.
It's like plain-text passwords with a public phpmyadmin using a root with a password of 'abc123' or something.
Seriously I think it could give some developers a stroke!
Was This Post Helpful? 0
  • +
  • -

#10 bhensley  Icon User is offline

  • New D.I.C Head

Reputation: 3
  • View blog
  • Posts: 8
  • Joined: 18-April 14

Re: You're DOING IT WRONG!

Posted 18 April 2014 - 01:57 PM

Truthfully I feel this problem started a number of years ago, when the extension came off active development and deprecation was announced as its ultimate course. The depressing bit is that it has taken this long for people to still not catch a hint. I, in part, blame the numerous online tutorials that still preach ext/mysql. And those that have been up for years and not taken down.
Was This Post Helpful? 0
  • +
  • -

#11 OliverKuchies  Icon User is offline

  • New D.I.C Head

Reputation: 2
  • View blog
  • Posts: 28
  • Joined: 27-April 14

Re: You're DOING IT WRONG!

Posted 02 May 2014 - 06:50 PM

I might consider writing a PDO Login / Register tutorial just to get all the new PHP users to start using database queries that won't kill them.. :gun_bandana:
Was This Post Helpful? 0
  • +
  • -

#12 Atli  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 3730
  • View blog
  • Posts: 6,017
  • Joined: 08-June 10

Re: You're DOING IT WRONG!

Posted 04 May 2014 - 05:21 AM

You mean like this one?
Login Seen From The SQL Point-Of-View
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1