PDA

View Full Version : Why Do Coders Still Do This?



devinmaking
Oct 21st, 2011, 08:37 AM
Hi guys

I recently won my first project which was on freelancer.co.uk which was for next to nothing and not worth my time but the end of the day its experience in what i am studying ;)

Anyway the job was "stop my website getting hacked".

As this was a basic cms website i new it would be easy ish but when looking through the code it strikes me that the only hacking going on is url injection as every page has:


$variable = $_GET['id'];

$query = "SELECT * FROM table WHERE id='".$variable."'";
$result = mysql_query($query);

I asked the person where and when did she get her website coded and she stated it was about 5 months ago by a indian company from freelancer.com

My friend who is a coder says expect everyone who comes on your sites to want to take the site down, even the admins of the site, this way you will always be prepared!!

Why do coders still code without thinking that 30% of people out there will try to hack you.

MattF
Oct 21st, 2011, 12:37 PM
The customer likely got what they paid for. Good coders cost good money.

Fou-Lu
Oct 21st, 2011, 03:31 PM
30%? 100% in my book. No user is to be trusted, and should be treated as dirty. This includes anything that the user gives you.

I'm with MattF. Accepting the lowest bid is often a bad idea on any project. Given the above, it would be a trivial change to fix this, but that begs the question of why its like this in the first place. With more features comes more complexity, and with more complexity comes more bugs, so yeah I can certainly see even security errors popping up in professional scripts. But this? This is just negligence in my book which has no excuse from any "company" accepting paying contracts.

tangoforce
Oct 21st, 2011, 04:27 PM
Hi guys
Anyway the job was "stop my website getting hacked".


You've been into PHP for 8 weeks and you're taking on security related projects? - No offence is intended when I say this but don't you think thats a bit premature? - You could be held responsible for other attacks sneaking through that you don't even realise exist.

Seriously, if I were you, I would REALLY take more time to get comfy with PHP and learn it thoroughly otherwise you're going to seriously shoot yourself in the foot at some point.

Nothing wrong with being eager but running before you can walk is dangerous - trust me, I've done the very same thing and paid a harsh price for it.

Spookster
Oct 21st, 2011, 04:34 PM
Doesn't surprise me that it's a company from India. My company decided to start outsourcing some of our software engineering positions to India a few years ago to save money. We end up having to fix most of the software these Indian "engineers" send back to us which ends up costing the company more money than if we had just done it ourselves.

DJCMBear
Oct 21st, 2011, 04:44 PM
Doesn't surprise me that it's a company from India. My company decided to start outsourcing some of our software engineering positions to India a few years ago to save money. We end up having to fix most of the software these Indian "engineers" send back to us which ends up costing the company more money than if we had just done it ourselves.

That's a little similar to my company lol before I got on board they spent loads on outsourcing and when they hired me they could get all their systems built by me who was employed by them so they didn't have to spend out $$$$$ or what ever on outsourcing, it is shocking how many companies do; do this, however they think it saves them money, but in the long run they are only getting what they paid for really aren't they.

tangoforce
Oct 21st, 2011, 05:02 PM
I hope this doesn't sound racist but there are quite a lot of them on this forum who come here asking for answers like "how to make a site like this site.com?"

When their level of english is a bit on the bad side I'm not surprised their code is often of bad quality.

The point is, if you want code that works you first need to use people that are fluent in your own language. Some indians are very good with english but others are more interested in technical things than learning to speak another language. EG I like programming but I would never want to learn french - so it would be pointless a french company hiring me to write computer code for them (especially if they want french comments and variable names etc).

DJCMBear
Oct 21st, 2011, 05:22 PM
I hope this doesn't sound racist but there are quite a lot of them on this forum who come here asking for answers like "how to make a site like this site.com?"

When their level of english is a bit on the bad side I'm not surprised their code is often of bad quality.

The point is, if you want code that works you first need to use people that are fluent in your own language. Some indians are very good with english but others are more interested in technical things than learning to speak another language. EG I like programming but I would never want to learn french - so it would be pointless a french company hiring me to write computer code for them (especially if they want french comments and variable names etc).

I agree, even though coders from a different country may be better than some coders in the local town etc doesn't mean that it will be the best idea to use them if they are not able to communicate as that is where the phrase 'lost in translation' comes from as they could listen to you but not fully understand you, which could result in you paying for something which is totally different to what you asked for, this goes for everyone and not just Indians or as you mentioned the French.

devinmaking
Oct 21st, 2011, 06:40 PM
You've been into PHP for 8 weeks and you're taking on security related projects? - No offence is intended when I say this but don't you think thats a bit premature? - You could be held responsible for other attacks sneaking through that you don't even realise exist.

Seriously, if I were you, I would REALLY take more time to get comfy with PHP and learn it thoroughly otherwise you're going to seriously shoot yourself in the foot at some point.

Nothing wrong with being eager but running before you can walk is dangerous - trust me, I've done the very same thing and paid a harsh price for it.

I spoke with the person before i took the work, telling them i am studying and asking questions about their website.

She stated there is no user area and showed me the login for admin area which looks pretty secure as it is sha1 and all post variables was surprisingly secure!

The contact form does not go to database and only direct to email.

So all that is left is securing all GET, REQUEST and database inputs which even for a novice like me should be easy enough.

Just to make sure, I made the configeration folder hidden through .htaccess and also made the .htaccess hidden also just incase they did manage to get into the config folder and somehow find database information out.

I did tell her that hackers can still get in through other means like guessing passwords etc.

As its a small site that is barely even on alexa and only a brochure type website i am happy that the measures i have taken should be enough as no serious hacker would hack this site, it would be newbies who are trying things like injections etc

tangoforce
Oct 21st, 2011, 09:23 PM
As its a small site that is barely even on alexa and only a brochure type website i am happy that the measures i have taken should be enough as no serious hacker would hack this site, it would be newbies who are trying things like injections etc

Thats what I thought about mine. It didn't take long for the attackers to find a way in. I learnt a lot from that.

I am giving you good honest advice: You are not experienced enough to be taking on security based PHP work.

Lamped
Oct 22nd, 2011, 12:22 AM
Two moderator related points:

1. Lets be mindful of racism.
2. Lets not be too critical of people actively noticing and wishing to fix security issues. It's admirable, not only for its rarity.

In my personal experience, a lot of programmers who consider themselves experts make a lot of stupid mistakes. I slipped up on an XSS issue only last week, and I'm known by my colleagues as extremely paranoid.

There will always be programmers taking short-cuts, it what makes the hacking landscape so interesting, and why people like me are so invaluable. I guess the hope is there will be more people caring about sanitisation, pushing out those who don't.

Here's hoping.

tangoforce
Oct 22nd, 2011, 10:23 AM
Hi Lamped,

Sorry I wasn't trying to introduce racism, just trying to point out the language difficulties. I did also mention an example using the french to convey the point I was making.

As for the next comments you're spot on. Over confidence in your own programming skills (especially when new) is never a good thing. Experience is what matters.

DJCMBear
Oct 22nd, 2011, 06:23 PM
There is a fine line between racism and a critical statement about communication but I personally don't think There is any racism in this thread, only a few statement of misscommunication between two people from different countries who don't fully understand eachother but I do see what you mean about trying not to go to over the top with statements such as them.

Spookster
Oct 23rd, 2011, 12:05 AM
There is a fine line between racism and a critical statement about communication but I personally don't think There is any racism in this thread

I concur.

Our company has locations throughout the world and we have difficulties in many places often due to language and communication but with India it's not just the language/communication issue. The ones we are working with don't have good training and education when it comes to software engineering. They keep replacing them with new ones but the story doesn't change. It seems they spend all their time memorizing different languages but don't understand how to properly use them.

DJCMBear
Oct 23rd, 2011, 09:20 PM
This is where different countries think differently, which is to be expected as no 2 people are the same so why would it be any different for countries, I think in every single place there is at least one person who is a professional coder whether that is with one language or more but many companies always go for the cheapest option which isn't always the best option and like said before in this thread or a different thread which I was a part of, they get what they paid for.