Submitted via IRC for TheMightyBuzzard
Researchers have checked 64,000+ GitHub projects, and found 117 vulnerabilities introduced through the use of code from popular programming tutorials.
Things like this are why I would never hire a professional programmer without an online portfolio of source code to check for Blatant Stupidity.
Source: https://www.helpnetsecurity.com/2017/04/21/programming-tutorials-vulnerabilities/
(Score: 1, Insightful) by Anonymous Coward on Sunday April 23 2017, @10:55PM
There's a difference between "A tutorial that shows everything that can go wrong is not a tutorial" and the crap they show in these tutorials.
- no mention of security awareness or even input validation.
- using deprecated mysql calls (not using mysqli or PDO).
- concatenating unsanitized user input directly into the SQL string (not even using the deprecated mysql_real_escape_string() to make a half-assed effort).
- not using parameterized queries.
- I could go on but their code has already been hacked by now.
Creating a very similar, but secure, basic tutorial isn't that much more work. Even W3Schools gets it right and their tutorials are not all that complicated.
I agree that copy & paste coding is a bad idea, but it is so common that I expect it will live in infamy inside countless IoT devices.