Take care copy-and-pasting that code from Stack Overflow

Or indeed any other websites…

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

Stack overflow sql injection

If you’re a computer programmer, you probably know Stack Overflow. It’s a very popular and really handy question-and-answer website devoted to answering programming questions.

In other words, if you find yourself in a fix trying to get your brain around a knotty PHP problem, there’s bound to be some helpful soul who knows the answer and will either answer your question or already answered a similar question in the past.

So, all you have to do is go to Stack Overflow and get the answer you need. Right?

Sign up to our free newsletter.
Security news, advice, and tips.

Well, hold your horses for one second.

Because have you ever considered that the code you are being offered might (unintentionally) contain a serious security flaw – such as being vulnerable to exploitation via SQL injection?

Laurent Cozic has published a project that examines PHP questions on Stack Overflow, and highlights those that contain SQL injection vulnerabilities. And with some nifty graphical charts he gives an indication of the scale of the problem.

Sql stack overflow 1

It’s clear to see that approximately 1000 PHP-related questions on Stack Overflow contain SQL injection vulnerabilities every month.

Just how bad is that?

Well, as a proportion of all PHP MySQL-related questions, SQL injection vulnerabilities amount to around 40-50%.

Sql stack overflow 2

Ouch! With figures like this is it any wonder that so many business websites are still shamefully spilling their customer details to such rudimentary hacking tricks as SQL injection?

Of course, it’s worth bearing in mind that Stack Overflow doesn’t have a monopoly in offering bad advice. You could cut-and-paste a SQL injection from any number of sites offering advice on the internet.

So don’t be lazy. Always do your own checking of code you’re borrowing from someone else before you use it. Copy-and-pasting code without thinking can do a lot of harm.

Hat-tip: @mikko.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

3 comments on “Take care copy-and-pasting that code from Stack Overflow”

  1. coyote

    'Because have you ever considered that the code you are being offered might (unintentionally) contain a serious security flaw – suchj as being vulnerable to exploitation via SQL injection?'

    I presume 'suchj' is a typo and not playing with the fact many people don't properly sanitise input?

    As for copying/pasting code: the same goes for commands. You won't learn anything using something you don't understand, you won't remember it as well and it's also dangerous if you don't know what it does. No matter what anyone wants to believe there are many out there who have no problem intentionally misleading and outright harming (though misleading is in many ways more harmful in the long run).

  2. iya

    if you're a serious php or sql programmer, knowing how to stop vulnerabilities isn't that hard. i don't think you'd copy and paste a bunch of stuff and just see that it works. i've hit stackoverflow up for help hundreds of times but the most i've ever gathered were tiny things that weren't code because usually, the answers are so complicated they're way beyond homework and incomprehensible. also, even if the code itself is flawed as is, the basic checklist of security flaws, if covered, would fix it. in that case, if the code works and you wouldn't get marked down or fired for stealing it, stealing it would be fine. i did an extra credit assignment in a web programming class where i learned php and sql and it was all about security vulnerabilities and it's very easy to look them up. they are quite limited and easy to avoid.

  3. RGold

    I would also add that Stack Overflow does not represent their answers as hacker-hardened, production-ready examples employing security best practices. Like examples in a textbook, they illustrate one concept with an answer that is simple/simplistic (most of the time) and not meant to be mindlessly pasted into code projects destined for production.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.