It’s that time again — I’m dishing out another pants award.
This time it’s phpeasystep.com which, according to their meta description, will “Teach you step-by-step with easy simple php code”. Simple is the right word — completely basic, with no attempt at security what-so-ever, leaving anybody who uses some of the tutorials at great risk of being exploited.
Let’s take a look at the Verifying email address tutorial:
// values sent from form
$name=$_POST['name'];
$email=$_POST['email'];
$country=$_POST['country'];
// Insert data into database
$sql="INSERT INTO $tbl_name(confirm_code, name, email, password, country)VALUES('$confirm_code', '$name', '$email', '$password', '$country')";
$result=mysql_query($sql);
Hands up if you know the problem here? Of course, anyone with any experience in PHP will automatically spot the fact that data is taken straight from a form, assigned to variables and added straight to the database with no validation or clean up at all. I refer back to point one of my Writing Your Own CMS article — security! And I quote:
Look after your data going in to the database by stripping out malicious scripts, HTML tags, PHP and the like.
There’s no attempt at mail headers injection protection which means a whole host of e-mail addresses could be inserted into the e-mail field and ALL would be spammed with whatever else the malicious user chooses to add in. Oh, and did anyone notice the weird comment in this tutorial which obviously doesn’t apply? (// if $count not equal 1)
Moving swiftly on to the Sending forgotten password tutorial. I’d like to quote Katy here:
bloody hell, this is bad on so many levels..
Quite right. More unvalidated data being used in a database query, plain text passwords in the database, no confirmation that the user actually requested his password e-mailed to him.. oh, the humanity.
The Creating a simple PHP guestbook tutorial again inserts ‘dirty’ data in to the database, the Upload and Rename File doesn’t check the files being uploaded meaning a virus could be uploaded, or a PHP file could be uploaded to pull sensitive data from a database (or even delete it), show passwords, delete/edit files, etc. The PHP Login script tutorial is easily bypassed with a bit of SQL Injection (insert “boob' or 'foo' = 'foo' --” into the username form and the query checks to make sure foo is equal to foo (which is obviously is) and ignores everything after that — rendering any password protection useless).
So, phpeasystep.com, you’ve won the pants award:
![[pants award]](junk/pants3.gif)
Please clean up your tutorials, you’re putting people at risk.