Take care copy-and-pasting that code from Stack Overflow

Or indeed any other websites…

Stack overflow sql injection

If you're a computer programmer, you probably know Stack Overflow. It's a very popular and really handy question-and-answer website devoted to answering programming questions.

In other words, if you find yourself in a fix trying to get your brain around a knotty PHP problem, there's bound to be some helpful soul who knows the answer and will either answer your question or already answered a similar question in the past.

So, all you have to do is go to Stack Overflow and get the answer you need. Right?

Well, hold your horses for one second.

Because have you ever considered that the code you are being offered might (unintentionally) contain a serious security flaw - such as being vulnerable to exploitation via SQL injection?

Laurent Cozic has published a project that examines PHP questions on Stack Overflow, and highlights those that contain SQL injection vulnerabilities. And with some nifty graphical charts he gives an indication of the scale of the problem.

Sql stack overflow 1

It's clear to see that approximately 1000 PHP-related questions on Stack Overflow contain SQL injection vulnerabilities every month.

Just how bad is that?

Well, as a proportion of all PHP MySQL-related questions, SQL injection vulnerabilities amount to around 40-50%.

Sql stack overflow 2

Ouch! With figures like this is it any wonder that so many business websites are still shamefully spilling their customer details to such rudimentary hacking tricks as SQL injection?

Of course, it's worth bearing in mind that Stack Overflow doesn't have a monopoly in offering bad advice. You could cut-and-paste a SQL injection from any number of sites offering advice on the internet.

So don't be lazy. Always do your own checking of code you're borrowing from someone else before you use it. Copy-and-pasting code without thinking can do a lot of harm.

Hat-tip: @mikko.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, , ,

3 Responses

  1. coyote

    December 5, 2016 at 10:30 pm #

    'Because have you ever considered that the code you are being offered might (unintentionally) contain a serious security flaw – suchj as being vulnerable to exploitation via SQL injection?'

    I presume 'suchj' is a typo and not playing with the fact many people don't properly sanitise input?

    As for copying/pasting code: the same goes for commands. You won't learn anything using something you don't understand, you won't remember it as well and it's also dangerous if you don't know what it does. No matter what anyone wants to believe there are many out there who have no problem intentionally misleading and outright harming (though misleading is in many ways more harmful in the long run).

  2. iya

    December 6, 2016 at 4:40 am #

    if you're a serious php or sql programmer, knowing how to stop vulnerabilities isn't that hard. i don't think you'd copy and paste a bunch of stuff and just see that it works. i've hit stackoverflow up for help hundreds of times but the most i've ever gathered were tiny things that weren't code because usually, the answers are so complicated they're way beyond homework and incomprehensible. also, even if the code itself is flawed as is, the basic checklist of security flaws, if covered, would fix it. in that case, if the code works and you wouldn't get marked down or fired for stealing it, stealing it would be fine. i did an extra credit assignment in a web programming class where i learned php and sql and it was all about security vulnerabilities and it's very easy to look them up. they are quite limited and easy to avoid.

  3. RGold

    January 12, 2017 at 9:51 pm #

    I would also add that Stack Overflow does not represent their answers as hacker-hardened, production-ready examples employing security best practices. Like examples in a textbook, they illustrate one concept with an answer that is simple/simplistic (most of the time) and not meant to be mindlessly pasted into code projects destined for production.

Leave a Reply