The deeper issue is that PHP has a really low barrier to entry. This is a blessing and a curse. There is a place for languages like Python which trust the programmer, but some of the high security places PHP is oft-used in are not them.
The example itself was enough to explain the how a submit works in PHP, the site should have expanded on that or display a notification that it isn't secure. It saddens me that the web is still filled with poorly written PHP code, PHP has drastically changed over the years but there's still so much PHP 5.x junk laying around. The least writers of such totorials could do is say the article is outdated and refer to something more relevant.
90% of php tutorials I see online have poor code, from what I call copy paste scriptwriters. they don't learn the core principles of what the command does in a single function (actual function of word not php MyFunction) or complete command let alone the dangerous flexibility of php as a language.
I recommend to you using virtual machines. You can use Vagrant + VirtualBox to simply create them. This allows you to create isolated and exact replicas of your staging/production environments.
you kinda need apache for the .htaccess files, they are very useful to have control over how the url works. By default php will treat the url as a directory path and search for an index.html or index.php inside. This might be enough if you're serving static content but if you want something more complex you'll need apache and mysql
It's ridiculous that this PHP tutorial has another bug: is absolute nonsense. 1) It would have been $PHP_SELF and not $_PHP_SELF (back then, before PHP4.2, when register_globals was on by default), nowadays it would be $_SERVER['PHP_SELF'], and 2) It's missing the "echo" so it wouldn't even print anything anyways! The only reason it works is because this whole part is unnecessary in the first place, because the default action of a form is empty and therefore resolves to current URL...
If someone is just starting out with PHP, say it is the first or second day, introducing security concepts would confuse them. These sites usually cover the security aspect, but in a later part.
They should not have to be introduced to this in the first place. Other languages and frameworks are safe by default. In all languages you can write insecure code, but when the introduction tutorial is already unsafe, then what hope can we have that they change their coding style later?
if we talk about languages I don't know what language escapes by default when outputting strings, not even python, perl, js(nodejs), c, c# do such a thing. I think you are comparing web frameworks with raw programming language
Huge difference. A lot of python/C/C# programs can go very lax on security since they are executed by the person providing input (probably even the same person who wrote the script). A webpage by definition faces the world, and anyone being able to inject anything into your simple webpage makes it an instant failure. You can't talk about web design without starting with basic security.
I would say it is very important to tell new people about how to secure in the tutorial. The tutorial should show them the secure way rather than the insecure way, and saying why, even if you just said because it is more secure. Not everyone who reads a tutorial are reading the whole tutorial, and might just be skimming to find how to start. I would say it is not too much to ask that tutorials and articles to be considerate to new developers and tell them good practices.
Very great video! Unfortunately, I'll have to wait a few years until I can go completely crazy with programming because school prevents me from doing it... :(
A long time ago, I started to develop some PHP websites. First one I did was for my mothers company; for parts I followed those tutorial online..... got hacked - -‘
Thank you for making this video. I wrote a series of PHP tutorials back in 2005 or 2006 for a user login/authentication system that racked up hundreds of thousands of views. I was learning PHP at the time and had no business teaching others. Many (thousands?) of people used my "tutorials" and adapted the login system for many purposes. Many wrote and shared "addons'. These tutorials didn't teach you the fundamentals and enforced bad practices. I apologize for my sins
The real solution is to use a context-aware templating engine that automatically escapes any variable you try to insert, so there's no risk that you forget to manually escape it.
@@DSAhmed Um, no. Humans makes mistakes. A proper templating engine makes such mistakes impossible. It's not a band-aid. It's the proper solution. "Just don't make mistakes" is a horrible "solution" that is never going to end well.
@@asdfghyter fair enough. But you should have the control or ability to turn that off as needed. But too many crutches lead to poor coding, and unintended vulnerabilities.
@@DSAhmed I don't really see this as crutches. It's a good abstraction. It makes it easer to code and gives you less to think about. Of course, it should be expandable so you can add missing features yourself if something is missing. And escape hatches are useful as long as they are clearly marked as such "unsafe_inject_string" or something like that, so you don't use it by mistake without thinking twice.
The code is invalid and unsecured on many levels, which one I was extremely irritated by was how in the if-statement, the condition was that either one of the get-variables where necessary for it to execute, but what happened was that it printed both of the get-variables values... this is a problem because if a variable is non-existing in php; it will throw an error to the user. Informing what part of the server code is failing and revealing server-sided secret code!
I still find it funny how terribly weird php function names are. htmlspecialchars for HTML tag escaping? Who tf thought of that? And it doesn't even have a case convention, it's just written so weirdly.
This is only half the story as well. The whole $_SERVER["PHP_SELF"] thing allows XSS too www.dzhang.com/blog/2013/05/20/php_self-and-cross-site-scripting as seen in the mentioned tutorial
This xss demo can be demonstrated with every language, it's not limited to php. Language agnostic explaination of XSS: ruclips.net/video/L5l9lSnNMxg/видео.html
Because you stop being dependent on checking the encoding. For example htmlspecialchars will not protect you against UTF-7 XSS attacks if you do not declare encoding header. Of course you can declare encoding at the beginning (you showed it in a video; however with htmlentities you skip the risk of forgetting about it.
Sure, sanitise input is nice, but that has nothing to do with escaping the output. Sanitation is kinda more like a better user experience to tell when something is wrong. But escaping your output is where you protect against XSS.
I'm not sure if htmlentities actually would prevent utf-7 (or similar encoding attacks for that matter). I'm sure there are cases where it wouldn't help you or you find odd bypasses. But you shouldn't rely on it to prevent encoding attacks anyway... choose the correct fix for a particular issue. utf-7 or other encoding attacks are prevented by setting proper encoding.
I've been using PHP for 20 years, and one thing hasn't changed: people who don't understand PHP always assume every problem they have with PHP websites is the fault of PHP itself. The need to sanitize user input is a no-brainer regardless of what language you use. Instead of aspiring to be "coders," I suggest that the ADHD-addled brats watching this aim higher and aspire to be programmers. Any idiot can type code. Designing software is a different thing altogether.
The advantages provided by high level languages nowadays makes very easy to write code, but yeah I am course 4 now at computer science and I could ask some of my classmates what is difference between http and tcp and they won't have an answer, even though we had at least 2 courses dedicated to networking and distributed applications. We had an assignment lately to make a proxy with multiple balanced databases, one of my classmate made the connection using UDP, because in his opinion it was easier to implement it this way...
it is common if you dont sanitize input, same goes for sql queries, if you dont clean it prior to inserting into the DB, and this goes for all languages, unless that language does automatic input sanitazion. it is 2020 and no offence to any nationality but Sandeep Kumar and Rakesh are still writing deprecated mysql_* code all over their shitty blog posts.
might be possible if a website allows the upload of files and doesnt properly check them (so you upload a .php file and run it like domain.com/yourfile.php), but i'm not sure if it actually works and am too lazy to test right now
Nombre Apellidos What kind of python security are you referring to? Php is usually used on public domains which makes it accessible to anyone from anywhere, which is why security is an important aspect. Python is used a lot on the local system so I am just wondering what kind of security you would like to see (I am aware you could write a website with python, perhaps using something like Django, but let's face it, it's far less common practice)
Come on man, you know damn well all you're going to get is code snippets that are specific to the topic at hand if you're googling things. There's a reason why it's both important to learn by doing and by instruction. People who rely on google to learn to code miss out on a lot of things people who read a book or take a course on the topic will learn. And for the record, the first PHP book I picked up did cover XSS, so you do get taught this stuff in beginner's courses.
If you are reflecting the submitted data without escaping, it does't matter if you are using GET or POST, it also doesn't matter if you are using PHP or something else.
@@no-defun-allowed more like, tell that to the noob doing this, you can write insecure code in all languages programming in python wont automatically sanitize input or escape database queries to prevent sql injection, besides this is so 101 security that anyone who programmed for less than a year would know the need to sanitize input , no matter what language
Dynamic typing has nothing to do with copy-pasta code or with using non-validated user input... PHP itself is not hot garbage (but pretty inconsistent), the bad code written by some scriptkiddie is.
This is why you learn how to stop your site from xss or use a framework that will do most of it for you. Stop blaming language for you not knowing security concepts /writing shitty code. (For PHP haters)
~Gets the first page of php at tutorialspoint~ - "look at this shitty code" ~Scrolling down to "Validation Example"~ - No no no, they are not teaching to deal with XSS... Welcome to the PHP hate train. As you come in, the same way it gets out. The user cannot protect from himself. PHP is not evil, CPDD (Copy Paste Driven Development) is!
php isnt bad if you know how to use it Block SQL Injections: function sqli_escape($str) { global $connection; $str = mysqli_real_escape_string($connection, $str); } Block HTML & JS Injections: function html_escape($str) { $str = str_replace('&', '&', $str); $str = str_replace('', '>', $str); }
clicked because i wanted to share my answer to what is php, but have a like for `Don't be a script kiddie` lol whenever someone says what is php / what does php stand for? PHP - it's a recurring acronym that means the P stands for PHP, so it stands for PHP hypertext processor... which stands for PHP PHP hypertext processor which stands for PHP PHP PHP hypertext processor which stands for PHP PHP PHP PHP hypertext proc... ...person leaves lol
Sorry but this xss example is as simplistic as the php example you are 'exploiting'. The php tutorial is to get you to understand how things work, security can come after understanding what is going on.
Maybe you succeeded in that. But from my own experience learning php, and from auditing many php websites (compared to eg. python websites), I can tell you that in reality php devs don’t learn it afterwards.
What are u doing for living. Job . I am asking becz i am interested in computers electronics but i have no tym.have to do some shit job for living.sorry as it is not related.just curious abt ur knowledge.
"But php can't be bad, it's used in so many websites" -some phpapologist And there are plenty sites which store your password in plaintext, just because something is common doesnt mean its good and should be used! YES you can make a secure site with it, if you know each of it's shitty quirks (hash functions quitely throwing warnings and returning null instead of a hash or crashing, terniary operator being left associative (I dare you to find any other language that does that) which in my opinion produces wrong results (objectivly its atleast counterintuitive),.... It's not like PHP is the only language there is for webdevelopment. Why would a carpenter use a stone to drive the nails in when there are plenty hammers to chose from? Also god help you if you ever have to debug PHP.
I haven't watched the video yet, but I might answer the question from the title right away: PHP is a toy to make websites, it stands for "Personal Home Pages" and there are many problems with it (not only cross site scripting) and the reason for this is, that PHP attracts inexperienced people and they think they can program but all they do is "curl | bash" and copy&paste from the internet. ;)
There is much wrong with "curl | bash" and "download and execute", they create a mindset that results in insecure by default behaviors. Just take random code from the internet and trust it. Nobody should need to do a "malware analysis" for each download. We should use a chain of trust where others have done that job for us. Random downloads aren't a chain of trust, they are scattered pieces of trust. Having to trust project A, B, C ... Z and so on is the wrong way. A great example are big linux distributions. Take Debian as an example. They have a big web of trust (the debian developers and their upstreams), they know their stuff and hopefully detect if there is something fishy. The user just needs to trust the maker of their operating system, there is a single automated mechanism to check cryptographic signatures and thats it. The technical infrastructure are the package managers and they exist for a very long time. They first intended to ease the installation of software and later they happened to improve the security by centralizing the chain of trust. It is just a recent development that commercial software companies have started to build centralized software repositories (they call them App Stores or Play Stores). But their intention isn't trust and the good for the users, they just want control over their users. When package managers were common but different (rpm/yum, deb/apt ...), the upstream developers were not very interested in using or even supporting them. They had no interest in fixing their build systems so you could easily package the software. This resulted in some notoriously hard to package software projects and at some point some people began building their own package managements. Today we have a mess of things like cpan, pip, npm and what else there may exists. This weakens the chain of trust, today people do a "curl | bash" which just vomits all over the system, it puts crap into the /etc/apt/sources.list and installs a bazillion packages from npm, pip, curl and from source. The resulting system is a mess that just works, until it is infested by all sorts of malware. Yes, where I work we do a limited* malware analysis of software if it isn't installable from the package management of the used software distribution. (* = no full audit of the software itself, just some sanity checks that make sure there are no hidden curl|bash things and that the source isn't compromised). But something like this can't be expected from normal users. They should not artificially increase their exposure by using crappy advise like "curl|bash", they should depend only on a very short chain of trust. I say "curl|bash" is even more dangerous as crappy tutorials that don't do any input validation. They teach "just ignore anything, don't try to understand, just do this".
PHP stands for PHP Hypertext Preprocessor. And, theres nothing wrong with PHP - it's the developer writing the code. A developer that writes bad PHP code will also write bad Java code, C, .Net, JS, etc, etc.
Jack B: You are right, "PHP: Hypertext Preprocessor", the name was changed to that a very long time ago. I still like to refer to it by its original name, especially when I talk about the downsides of that language. As you said, it is the developer writing the code. A good programmer is still capable to know his way around all the quirks of the language and producing good code. But as I said, PHP is one of the languages that attract inexperienced people. It is often one of the first programming languages people learn, they want to make website and they heard that PHP is what should be used and then they search for tutorials. The next thing what happens is explained in the above video. Those inexperienced users become slightly better, or at least more productive, over time and they start to contribute to the language and its libraries and they write tutorials like the one shown in the above video.
zvpunry I wouldn’t call it a “downside of the language”, what you’re talking about is people learning code in general. Being mis-guided by not so great tutorials. Places like khan academy and an example of good places to learn. Places like w3schools are not. Surely it’s a positive thing that PHP is easy to pickup for beginners? It makes the whole prospect of software development as a whole less daunting of an opportunity for new comers. Being an easy to learn yet incredibly powerful language has its upsides too. I think as a general rule of thumb, if someone knows how to use composer correctly, they usually a half-decent programmer. There’s so many good php packages on packagist.
5:39
Welcome NEWS
You are years old
You deserve so many more subscribers
Binary exploitation and Web pen lectures that are good and concise, dude thank you 🙏🏻
Overflow I love the code review / code comparisons.
The deeper issue is that PHP has a really low barrier to entry. This is a blessing and a curse. There is a place for languages like Python which trust the programmer, but some of the high security places PHP is oft-used in are not them.
You have some awesome videos, I really like your style. Please put videos which focus on protocols itself
omg thank you i been looking every where for php in url cos i was stuck on a ctf challenge
The example itself was enough to explain the how a submit works in PHP, the site should have expanded on that or display a notification that it isn't secure.
It saddens me that the web is still filled with poorly written PHP code, PHP has drastically changed over the years but there's still so much PHP 5.x junk laying around. The least writers of such totorials could do is say the article is outdated and refer to something more relevant.
I was searching for a video series which will teach me how the web works and I ended up here. I think this series was made for me
SO UNDERRATED CHANNEL!!! IT MUST HAVE HAD AT LEAST 1M SUBS
Amazing video, is funny that now a days browsers let's xss execution being there many techniques to bypass it, it's like they have given up lol
90% of php tutorials I see online have poor code, from what I call copy paste scriptwriters. they don't learn the core principles of what the command does in a single function (actual function of word not php MyFunction) or complete command let alone the dangerous flexibility of php as a language.
what a great video!!
I guess you must be great contents maker.
thanks always LiverOverflow.
Awesome video as always.
thanks!
Uh. Didn't know about these php commands such as php -S adress.
I will finaly ged rid of XAMPP!
I recommend to you using virtual machines. You can use Vagrant + VirtualBox to simply create them. This allows you to create isolated and exact replicas of your staging/production environments.
Docker is easier if you are on linux or mac
Well, I still recommend you to use a full web server such as Apache if you’re doing web development. But you don’t need an all-in-one package.
you kinda need apache for the .htaccess files, they are very useful to have control over how the url works. By default php will treat the url as a directory path and search for an index.html or index.php inside. This might be enough if you're serving static content but if you want something more complex you'll need apache and mysql
There are some browsers(I know about Opera), who does not show you the GET parameters, so this could be used in phishing mails too...
Can (and should) be enabled in the options.
It's ridiculous that this PHP tutorial has another bug: is absolute nonsense. 1) It would have been $PHP_SELF and not $_PHP_SELF (back then, before PHP4.2, when register_globals was on by default), nowadays it would be $_SERVER['PHP_SELF'], and 2) It's missing the "echo" so it wouldn't even print anything anyways! The only reason it works is because this whole part is unnecessary in the first place, because the default action of a form is empty and therefore resolves to current URL...
If someone is just starting out with PHP, say it is the first or second day, introducing security concepts would confuse them. These sites usually cover the security aspect, but in a later part.
They should not have to be introduced to this in the first place. Other languages and frameworks are safe by default. In all languages you can write insecure code, but when the introduction tutorial is already unsafe, then what hope can we have that they change their coding style later?
if we talk about languages I don't know what language escapes by default when outputting strings, not even python, perl, js(nodejs), c, c# do such a thing. I think you are comparing web frameworks with raw programming language
Huge difference. A lot of python/C/C# programs can go very lax on security since they are executed by the person providing input (probably even the same person who wrote the script). A webpage by definition faces the world, and anyone being able to inject anything into your simple webpage makes it an instant failure. You can't talk about web design without starting with basic security.
MrKeotan sorry but this is just double standard
I would say it is very important to tell new people about how to secure in the tutorial. The tutorial should show them the secure way rather than the insecure way, and saying why, even if you just said because it is more secure. Not everyone who reads a tutorial are reading the whole tutorial, and might just be skimming to find how to start.
I would say it is not too much to ask that tutorials and articles to be considerate to new developers and tell them good practices.
Very great video! Unfortunately, I'll have to wait a few years until I can go completely crazy with programming because school prevents me from doing it... :(
what? do it at home
Great and simple demonstration.
A long time ago, I started to develop some PHP websites. First one I did was for my mothers company; for parts I followed those tutorial online..... got hacked - -‘
Thank you for making this video. I wrote a series of PHP tutorials back in 2005 or 2006 for a user login/authentication system that racked up hundreds of thousands of views. I was learning PHP at the time and had no business teaching others. Many (thousands?) of people used my "tutorials" and adapted the login system for many purposes. Many wrote and shared "addons'. These tutorials didn't teach you the fundamentals and enforced bad practices. I apologize for my sins
Thank you sir for dedicating your time for us
test
The real solution is to use a context-aware templating engine that automatically escapes any variable you try to insert, so there's no risk that you forget to manually escape it.
So, a robot that follows you around while you crap your pants and cleans up your sh** behind you. The better solution is to get potty trained.
@@DSAhmed Um, no. Humans makes mistakes. A proper templating engine makes such mistakes impossible. It's not a band-aid. It's the proper solution.
"Just don't make mistakes" is a horrible "solution" that is never going to end well.
@@asdfghyter fair enough. But you should have the control or ability to turn that off as needed. But too many crutches lead to poor coding, and unintended vulnerabilities.
@@DSAhmed I don't really see this as crutches. It's a good abstraction. It makes it easer to code and gives you less to think about. Of course, it should be expandable so you can add missing features yourself if something is missing. And escape hatches are useful as long as they are clearly marked as such "unsafe_inject_string" or something like that, so you don't use it by mistake without thinking twice.
I still live here .
welcome home!
awesome video!
Seeing the thumbnail "PHP sucks", it doesnt, highest number of bugs are found in PHP. Yeah, that feels like 1337
these code also would say notices if they were allowed (you need to write isset($_GET["etc"]) to check if it exists)
These videos are very helpful.
Most people talking shit about PHP are unemployed or getting paid shit to work... Not leaving PHP while it pays my bills...
The code is invalid and unsecured on many levels, which one I was extremely irritated by was how in the if-statement, the condition was that either one of the get-variables where necessary for it to execute, but what happened was that it printed both of the get-variables values... this is a problem because if a variable is non-existing in php; it will throw an error to the user. Informing what part of the server code is failing and revealing server-sided secret code!
To be fair, when running a webserver in a production environment, PHP should be configured to not emit warnings, notices, errors, etc.
I love your teaching style, its really smooth! keep going dude. From which country do you come from?
thanks! glad you like my method.
I'm from Germany
welche Stadt? :D
I still find it funny how terribly weird php function names are. htmlspecialchars for HTML tag escaping? Who tf thought of that? And it doesn't even have a case convention, it's just written so weirdly.
This is stupid comment
@@arumteguh2762 oh
Whoa dude which plug-ins are you using to get the coloured highlighting selected text please?
? What do you mean? In vim? Just try the command
:syntax on
wait aren't get variables called query strings?
Correct :) - In the URL it's a query string, and not "GET parameters". That originates from HTTP GET.
Really awesome
This is only half the story as well.
The whole $_SERVER["PHP_SELF"] thing allows XSS too
www.dzhang.com/blog/2013/05/20/php_self-and-cross-site-scripting
as seen in the mentioned tutorial
You are pretty good at this for a 12 year old
The L in lt stands for less. Greater is the opposite of less.
thanks for the useful English class
Your could write bad code like that in any language. It is **not** a PHP problem.
Your code is still vulnerable because of _PHP_SLEF you should escape special chars there too you can execute xss with index.php/">x
This xss demo can be demonstrated with every language, it's not limited to php. Language agnostic explaination of XSS: ruclips.net/video/L5l9lSnNMxg/видео.html
"PHP sucks" haha I laughed.... I laughed all the way to the bank
9:25 es ist deutsch für ein sehr kurzer moment
Jesus....i need to start coming to your videos first, wasted 4 hours trying to understand XSS elsewhere
Encode the JavaScript in the url maybe?
My guess to bypass the XSS-filter:
?name=/*&age=*/alert(1)
thanks
XSS Auditor, RIP
Just saying samy kamkar and his myspace worm :D
Isn't it much much better to use htmlentities instead of htmlspecialchars?
What's you argument?
Because you stop being dependent on checking the encoding.
For example htmlspecialchars will not protect you against UTF-7 XSS attacks if you do not declare encoding header. Of course you can declare encoding at the beginning (you showed it in a video; however with htmlentities you skip the risk of forgetting about it.
Anyway the better way is to sanitize the input, not just escaping it. But that's another story :)
Sure, sanitise input is nice, but that has nothing to do with escaping the output. Sanitation is kinda more like a better user experience to tell when something is wrong. But escaping your output is where you protect against XSS.
I'm not sure if htmlentities actually would prevent utf-7 (or similar encoding attacks for that matter). I'm sure there are cases where it wouldn't help you or you find odd bypasses.
But you shouldn't rely on it to prevent encoding attacks anyway... choose the correct fix for a particular issue.
utf-7 or other encoding attacks are prevented by setting proper encoding.
PHP doesn't get removed, it gets executed on the server.
Leon Kunstek he meant removes from the response
@@bigdawg4670 from what I understood, everything outside of the php tags is implicitly echo'ed
Dude you kick ass ! :D
maybe you can use base64 encoded script?
No more xss auditor in Chrome... Even the basic payloads will work 😉
“So why is this code so shitty?”
What are you asking us? We didn’t write it.
I've been using PHP for 20 years, and one thing hasn't changed: people who don't understand PHP always assume every problem they have with PHP websites is the fault of PHP itself. The need to sanitize user input is a no-brainer regardless of what language you use. Instead of aspiring to be "coders," I suggest that the ADHD-addled brats watching this aim higher and aspire to be programmers. Any idiot can type code. Designing software is a different thing altogether.
The advantages provided by high level languages nowadays makes very easy to write code, but yeah I am course 4 now at computer science and I could ask some of my classmates what is difference between http and tcp and they won't have an answer, even though we had at least 2 courses dedicated to networking and distributed applications. We had an assignment lately to make a proxy with multiple balanced databases, one of my classmate made the connection using UDP, because in his opinion it was easier to implement it this way...
nice
The 12 yo joke...
It killed me.
it is common if you dont sanitize input, same goes for sql queries, if you dont clean it prior to inserting into the DB, and this goes for all languages, unless that language does automatic input sanitazion.
it is 2020 and no offence to any nationality but Sandeep Kumar and Rakesh are still writing deprecated mysql_* code all over their shitty blog posts.
I don't care if people say PHP is dead. I LOVE PHP
PHP need to make the difference between isset, empty. This example need to be NOT empty.
Look how myspace got hacked but the guy who was making you add him as a friend by JS
That's fake news it has nothing to do with php, XSS can happen in any language that reflects user-input unescaped.
Can you inject php?
Nah. PHP is executed on the server so no
might be possible if a website allows the upload of files and doesnt properly check them (so you upload a .php file and run it like domain.com/yourfile.php), but i'm not sure if it actually works and am too lazy to test right now
@@GoulartGH Or if the user input is directed into eval or exec function.
Python security tuts??
Nombre Apellidos What kind of python security are you referring to? Php is usually used on public domains which makes it accessible to anyone from anywhere, which is why security is an important aspect. Python is used a lot on the local system so I am just wondering what kind of security you would like to see (I am aware you could write a website with python, perhaps using something like Django, but let's face it, it's far less common practice)
Come on man, you know damn well all you're going to get is code snippets that are specific to the topic at hand if you're googling things. There's a reason why it's both important to learn by doing and by instruction. People who rely on google to learn to code miss out on a lot of things people who read a book or take a course on the topic will learn. And for the record, the first PHP book I picked up did cover XSS, so you do get taught this stuff in beginner's courses.
That doesn't fix the problem though. Sites should really at least at a warning beforehand or talk about the the code not being secure for production.
I have it so it redirects with an http header and logs it to me lmao
6:01 trustworthfadgoeimdy
what genius used GET for form submission wth XD
If you are reflecting the submitted data without escaping, it does't matter if you are using GET or POST, it also doesn't matter if you are using PHP or something else.
How can I donate money to SkiddyH4xx ? :)
"what is php"
hot garbage
"why is xss so common there"
hot garbage
dynamic typing should be illegal
bad templating and ignoring errors should be illegal, but tell that to JS and PHP people
@@no-defun-allowed more like, tell that to the noob doing this, you can write insecure code in all languages programming in python wont automatically sanitize input or escape database queries to prevent sql injection, besides this is so 101 security that anyone who programmed for less than a year would know the need to sanitize input , no matter what language
Dynamic typing has nothing to do with copy-pasta code or with using non-validated user input...
PHP itself is not hot garbage (but pretty inconsistent), the bad code written by some scriptkiddie is.
Thats why i dont donate money to anyone! :)
This is why you learn how to stop your site from xss or use a framework that will do most of it for you.
Stop blaming language for you not knowing security concepts /writing shitty code. (For PHP haters)
~Gets the first page of php at tutorialspoint~ - "look at this shitty code"
~Scrolling down to "Validation Example"~ - No no no, they are not teaching to deal with XSS...
Welcome to the PHP hate train. As you come in, the same way it gets out.
The user cannot protect from himself.
PHP is not evil, CPDD (Copy Paste Driven Development) is!
You can inject PHP script through form
Could you please explain that?
php isnt bad if you know how to use it
Block SQL Injections:
function sqli_escape($str) {
global $connection;
$str = mysqli_real_escape_string($connection, $str);
}
Block HTML & JS Injections:
function html_escape($str) {
$str = str_replace('&', '&', $str);
$str = str_replace('', '>', $str);
}
How is this implemented it didn't work
@@Podemosllegaralossubs-ty7bq this is basic php functions. If you dont understand why are you watching this video
clicked because i wanted to share my answer to what is php, but have a like for `Don't be a script kiddie` lol
whenever someone says what is php / what does php stand for?
PHP - it's a recurring acronym that means the P stands for PHP, so it stands for PHP hypertext processor...
which stands for PHP PHP hypertext processor
which stands for PHP PHP PHP hypertext processor
which stands for PHP PHP PHP PHP hypertext proc...
...person leaves lol
Sorry but this xss example is as simplistic as the php example you are 'exploiting'. The php tutorial is to get you to understand how things work, security can come after understanding what is going on.
Maybe you succeeded in that. But from my own experience learning php, and from auditing many php websites (compared to eg. python websites), I can tell you that in reality php devs don’t learn it afterwards.
What are u doing for living. Job . I am asking becz i am interested in computers electronics but i have no tym.have to do some shit job for living.sorry as it is not related.just curious abt ur knowledge.
"But php can't be bad, it's used in so many websites" -some phpapologist
And there are plenty sites which store your password in plaintext, just because something is common doesnt mean its good and should be used!
YES you can make a secure site with it, if you know each of it's shitty quirks (hash functions quitely throwing warnings and returning null instead of a hash or crashing, terniary operator being left associative (I dare you to find any other language that does that) which in my opinion produces wrong results (objectivly its atleast counterintuitive),....
It's not like PHP is the only language there is for webdevelopment.
Why would a carpenter use a stone to drive the nails in when there are plenty hammers to chose from?
Also god help you if you ever have to debug PHP.
I haven't watched the video yet, but I might answer the question from the title right away: PHP is a toy to make websites, it stands for "Personal Home Pages" and there are many problems with it (not only cross site scripting) and the reason for this is, that PHP attracts inexperienced people and they think they can program but all they do is "curl | bash" and copy&paste from the internet. ;)
nothing wrong with "curl | bash". A lot of people do "download and execute" - or do you do a malware analysis for each download?
There is much wrong with "curl | bash" and "download and execute", they create a mindset that results in insecure by default behaviors. Just take random code from the internet and trust it.
Nobody should need to do a "malware analysis" for each download. We should use a chain of trust where others have done that job for us. Random downloads aren't a chain of trust, they are scattered pieces of trust. Having to trust project A, B, C ... Z and so on is the wrong way.
A great example are big linux distributions. Take Debian as an example. They have a big web of trust (the debian developers and their upstreams), they know their stuff and hopefully detect if there is something fishy. The user just needs to trust the maker of their operating system, there is a single automated mechanism to check cryptographic signatures and thats it. The technical infrastructure are the package managers and they exist for a very long time. They first intended to ease the installation of software and later they happened to improve the security by centralizing the chain of trust.
It is just a recent development that commercial software companies have started to build centralized software repositories (they call them App Stores or Play Stores). But their intention isn't trust and the good for the users, they just want control over their users.
When package managers were common but different (rpm/yum, deb/apt ...), the upstream developers were not very interested in using or even supporting them. They had no interest in fixing their build systems so you could easily package the software. This resulted in some notoriously hard to package software projects and at some point some people began building their own package managements. Today we have a mess of things like cpan, pip, npm and what else there may exists.
This weakens the chain of trust, today people do a "curl | bash" which just vomits all over the system, it puts crap into the /etc/apt/sources.list and installs a bazillion packages from npm, pip, curl and from source. The resulting system is a mess that just works, until it is infested by all sorts of malware.
Yes, where I work we do a limited* malware analysis of software if it isn't installable from the package management of the used software distribution. (* = no full audit of the software itself, just some sanity checks that make sure there are no hidden curl|bash things and that the source isn't compromised). But something like this can't be expected from normal users. They should not artificially increase their exposure by using crappy advise like "curl|bash", they should depend only on a very short chain of trust.
I say "curl|bash" is even more dangerous as crappy tutorials that don't do any input validation. They teach "just ignore anything, don't try to understand, just do this".
PHP stands for PHP Hypertext Preprocessor. And, theres nothing wrong with PHP - it's the developer writing the code. A developer that writes bad PHP code will also write bad Java code, C, .Net, JS, etc, etc.
Jack B: You are right, "PHP: Hypertext Preprocessor", the name was changed to that a very long time ago. I still like to refer to it by its original name, especially when I talk about the downsides of that language. As you said, it is the developer writing the code. A good programmer is still capable to know his way around all the quirks of the language and producing good code.
But as I said, PHP is one of the languages that attract inexperienced people. It is often one of the first programming languages people learn, they want to make website and they heard that PHP is what should be used and then they search for tutorials. The next thing what happens is explained in the above video.
Those inexperienced users become slightly better, or at least more productive, over time and they start to contribute to the language and its libraries and they write tutorials like the one shown in the above video.
zvpunry I wouldn’t call it a “downside of the language”, what you’re talking about is people learning code in general. Being mis-guided by not so great tutorials. Places like khan academy and an example of good places to learn. Places like w3schools are not.
Surely it’s a positive thing that PHP is easy to pickup for beginners? It makes the whole prospect of software development as a whole less daunting of an opportunity for new comers. Being an easy to learn yet incredibly powerful language has its upsides too.
I think as a general rule of thumb, if someone knows how to use composer correctly, they usually a half-decent programmer. There’s so many good php packages on packagist.
What is PHP? Broken trash.
Why is XSS so common there? Because PHP is broken trash.
ruclips.net/video/L5l9lSnNMxg/видео.html If you think xss is only a php problem you are a fool.
You have literally no clue, I can do the same example in Python or Ruby.