425

Me Vs a PHP teacher

Him:
And to do login, we just do SELECT username WHERE password = (userinput)

Me:
Really? Checking raw userinput against plaintext password?

Him:
There is no point in doing it securely here because if they want, the students can go take a seperate course on security

Me:
So no point in teaching students that they should write their code secure by default and just leave it as a afterthought?

Him:
Yes, because this is how i have always done it

Me:
———

Him:
Okay, time for a break
*leaves room*

Me:
*Uses the break to teach all students about sql injection, password hash and salt, rainbow tables and user input sanitizing*

Him:
*comes back*

Students to teacher:
He's right, if you dont teach us to code securely by default, we are likely to end up causing a data leak or be hacked, if you dont teach us properly we have no point coming here

Me:
*Smiles at the teacher with a face that says: Pwnd*

Him:
Alright then, tell me whats wrong in my code

I was so proud that i helped the class understand secure by default principles

Comments
  • 90
    You’d make a good employee! Keep standing your ground you’ll find your place
  • 73
    ...and a ++ for your teacher for giving in after all
  • 53
    r/thatHappened
  • 16
    Well done sir. Stop this madness before it starts!
  • 4
    Wish we could @amahlaka++ in this world, we need more of you 😁
  • 3
    College or Uni?
  • 6
    I’ll give him some credit, he didn’t return the password in that select statement.
  • 5
    The whole thing sounded exactly like my last school, except teachers never gave in because it wasn't on the planning and they are "not allowed" to change the planning halfway through a year.
  • 2
    Well done, good job! :) I wish I had more people like you, and less like the ones I have to work with :(
  • 7
    The fact that he didn’t complain it more amazing
  • 6
    I love this. I really do. At the start I hated it but he welcomed the change, as a teacher (I'm not) I would be very proud that my students questioned me. Especially in this field, data security is a real deal. Teach it early and stop bad practices
  • 2
    good job!
  • 2
    A true hero.
  • 4
    Holy shit that's amazing!

    Poor teacher tho. He's just ignorant!
  • 6
  • 10
    Then everyone stood up and clapped
  • 1
    come on man. its just a sample. its easier to understand for them less gifted than you
  • 2
    @Bootleg nope some schools are really that shit. In my last year I said the teachers: either im sick the rest of the year or you have to be open to learn something.

    After that I had to teach them two hours a week, told them as much as I could about git, frameworks, security and the like.

    I heard from an intern that next year they did mention git but didnt explain it. Thats at least better than not mentioning at all.
  • 2
    And then everyone stood up and clapped?
  • 1
    Smug face time! Great job man 👍
  • 6
    Good story. Good for you.

    The only thing that bothers me A LOT is the SQL query.

    'SELECT username WHERE password=(userinput)'?

    What if two people has the same password?
  • 2
    @antorqs I think it was merely an example, but yeah, that wouldn't be a sufficient query.
  • 5
    @xewl Yeah I thought, but I like my queries like my stories: well written xD
  • 2
    Where's the fight?

    I am here for action.
  • 1
    you deserve all cookies and beers in this world :D
  • 3
    @c3ypt1c r/nothingEverHappens
  • 1
    Good on you for not letting the teacher get away with lazy practices let alone teaching others to do the same.
  • 1
    @C0D4 yeah but that was taking raw input. Someone could coerce it into returning that.
  • 2
    @antorqs It's like how I like my pot, I guess.

    Stirred, not shaken.
  • 1
    Do php teachers really exist?
  • 1
  • 1
    Whe need more people whit this mindset the real teachers 😁
  • 1
    I cant upvote this more than once so I'm also leaving a comment. That is all
  • 2
    You put that awful teacher in their place. ++ & kudos
  • 2
    Sounds like the teacher is just trying to get by on the bare minimum, not a passionate educator at all.
  • 3
    Now they’ll just do md5($password); so much more secure 🙄
  • 1
    Rofl just hacked my stackadmin s+hhttttttt 😁😎
  • 1
    Props to you for boss level teach skills and iniciative and to the teacher for accepting and adapting.
  • 1
    @MatthewSamms i dod teach them about selting as well andhash collisions and rainbowtables
  • 0
    So you also talk about PDO or/and prepared statement ?
  • 1
    I'm not entirely on your side. You don't need to learn every detail on the first go. It could be overwhelming for some. Tough it depends on what the actual topic at hand was. Also I agree he should at least emphasise that's the wrong way to do it.
  • 0
    @WildOrangutan Never learn a insecure way to do something...

    Its not like they put a newbie in a crane and tell him: "just lift some things with it, next year I will tell you how to do it in a secure manner"

    You dont have to tell them the most complicated instruction and they can take a bit more time but teaching wrong code is never good
  • 0
    I never was taught this either :( sad education
  • 0
    While you teaching the students was a great move, the teacher's insensitive for teaching different topics at different courses does make sense.

    Still, good job!
  • 0
    @amahlaka well done! And 2 claps to your professor for caving in and not being a jerk
  • 1
    @Floydian You do penetration testing?!
  • 1
    @litesam126 Nope. Manual.
  • 1
    Exatly! One lazy teacher is not an excuse to not clean your code. It's like teaching surgery without washing your hands.
  • 1
    I once went through the codebase of the FosUserBundle and was surprised to see a for loop over the hash comparison instead of `generatedPaaswordHash == storedHash`.

    It turns out that they want to enforce that the password comparison process takes the same amount of time when hacker tries to do a timing attack. (foo == bar would be false quickly, bao == bar would be false less quickly).

    Security is hard.

    Really makes you think if you should implement your own user management (spoiler: you shouldn't). It's worth reading the implementation though if you ever have to. You won't think of all vectors of attack.
  • 1
    also select username where password=userinput.................. what if 2 users have the same password......
  • 1
    also PHP........................................
Your Job Suck?
Get a Better Job
Add Comment