618
amahlaka
76d

Me Vs a PHP teacher

Him:
And to do login, we just do SELECT username WHERE password = (userinput)

Me:
Really? Checking raw userinput against plaintext password?

Him:
There is no point in doing it securely here because if they want, the students can go take a seperate course on security

Me:
So no point in teaching students that they should write their code secure by default and just leave it as a afterthought?

Him:
Yes, because this is how i have always done it

Me:
———

Him:
Okay, time for a break
*leaves room*

Me:
*Uses the break to teach all students about sql injection, password hash and salt, rainbow tables and user input sanitizing*

Him:
*comes back*

Students to teacher:
He's right, if you dont teach us to code securely by default, we are likely to end up causing a data leak or be hacked, if you dont teach us properly we have no point coming here

Me:
*Smiles at the teacher with a face that says: Pwnd*

Him:
Alright then, tell me whats wrong in my code

I was so proud that i helped the class understand secure by default principles

Comments
  • 132
    You’d make a good employee! Keep standing your ground you’ll find your place
  • 110
    ...and a ++ for your teacher for giving in after all
  • 88
    r/thatHappened
  • 23
    Well done sir. Stop this madness before it starts!
  • 3
    Wish we could @amahlaka++ in this world, we need more of you 😁
  • 2
    College or Uni?
  • 12
    I’ll give him some credit, he didn’t return the password in that select statement.
  • 6
    The whole thing sounded exactly like my last school, except teachers never gave in because it wasn't on the planning and they are "not allowed" to change the planning halfway through a year.
  • 2
    Well done, good job! :) I wish I had more people like you, and less like the ones I have to work with :(
  • 10
    The fact that he didn’t complain it more amazing
  • 6
    I love this. I really do. At the start I hated it but he welcomed the change, as a teacher (I'm not) I would be very proud that my students questioned me. Especially in this field, data security is a real deal. Teach it early and stop bad practices
  • 4
    A true hero.
  • 5
    Holy shit that's amazing!

    Poor teacher tho. He's just ignorant!
  • 14
    πŸ€”
  • 19
    Then everyone stood up and clapped
  • 2
    come on man. its just a sample. its easier to understand for them less gifted than you
  • 2
    @Bootleg nope some schools are really that shit. In my last year I said the teachers: either im sick the rest of the year or you have to be open to learn something.

    After that I had to teach them two hours a week, told them as much as I could about git, frameworks, security and the like.

    I heard from an intern that next year they did mention git but didnt explain it. Thats at least better than not mentioning at all.
  • 7
    And then everyone stood up and clapped?
  • 1
    Smug face time! Great job man πŸ‘
  • 11
    Good story. Good for you.

    The only thing that bothers me A LOT is the SQL query.

    'SELECT username WHERE password=(userinput)'?

    What if two people has the same password?
  • 4
    @antorqs I think it was merely an example, but yeah, that wouldn't be a sufficient query.
  • 5
    @xewl Yeah I thought, but I like my queries like my stories: well written xD
  • 2
    Where's the fight?

    I am here for action.
  • 2
    you deserve all cookies and beers in this world :D
  • 5
    @c3ypt1c r/nothingEverHappens
  • 1
    Good on you for not letting the teacher get away with lazy practices let alone teaching others to do the same.
  • 1
    @C0D4 yeah but that was taking raw input. Someone could coerce it into returning that.
  • 2
    @antorqs It's like how I like my pot, I guess.

    Stirred, not shaken.
  • 3
    Do php teachers really exist?
  • 1
  • 1
    Whe need more people whit this mindset the real teachers 😁
  • 1
    I cant upvote this more than once so I'm also leaving a comment. That is all
  • 2
    You put that awful teacher in their place. ++ & kudos
  • 2
    Sounds like the teacher is just trying to get by on the bare minimum, not a passionate educator at all.
  • 3
    Now they’ll just do md5($password); so much more secure πŸ™„
  • 2
    Rofl just hacked my stackadmin s+hhttttttt 😁😎
  • 1
    Props to you for boss level teach skills and iniciative and to the teacher for accepting and adapting.
  • 1
    @MatthewSamms i dod teach them about selting as well andhash collisions and rainbowtables
  • 0
    So you also talk about PDO or/and prepared statement ?
  • 3
    I'm not entirely on your side. You don't need to learn every detail on the first go. It could be overwhelming for some. Tough it depends on what the actual topic at hand was. Also I agree he should at least emphasise that's the wrong way to do it.
  • 0
    @WildOrangutan Never learn a insecure way to do something...

    Its not like they put a newbie in a crane and tell him: "just lift some things with it, next year I will tell you how to do it in a secure manner"

    You dont have to tell them the most complicated instruction and they can take a bit more time but teaching wrong code is never good
  • 0
    I never was taught this either :( sad education
  • 0
    While you teaching the students was a great move, the teacher's insensitive for teaching different topics at different courses does make sense.

    Still, good job!
  • 3
    @amahlaka well done! And 2 claps to your professor for caving in and not being a jerk
  • 1
    @Floydian You do penetration testing?!
  • 1
    @litesam126 Nope. Manual.
  • 1
    Exatly! One lazy teacher is not an excuse to not clean your code. It's like teaching surgery without washing your hands.
  • 1
    I once went through the codebase of the FosUserBundle and was surprised to see a for loop over the hash comparison instead of `generatedPaaswordHash == storedHash`.

    It turns out that they want to enforce that the password comparison process takes the same amount of time when hacker tries to do a timing attack. (foo == bar would be false quickly, bao == bar would be false less quickly).

    Security is hard.

    Really makes you think if you should implement your own user management (spoiler: you shouldn't). It's worth reading the implementation though if you ever have to. You won't think of all vectors of attack.
  • 2
    also select username where password=userinput.................. what if 2 users have the same password......
  • 1
    also PHP........................................
  • 1
    what are rainbow tables?
  • 2
    @vhoyer it's where the unicorns eat supper
  • 1
    @vhoyer files with pre-seeded combinations of character-sets.
  • 1
    And everyone clapped, right?
  • 0
    @FitzSuperUser fuck that shit @amahlaka has the makings of an owner of the business and being an influencer. It would be such a shame to see such an attitude be wasted working for someone else.
  • 0
    @codeRetard I run my own business πŸ€” I need people like that 🀷‍♂️
  • 0
    If true - your teacher is pretty cool for going along and letting you correct him
  • 1
    πŸ˜’ Even though the teacher could have *mentioned* hash and injection, if the topic is the language, don't expect going deep in other matters. What else did you want in this class? OAuth2?

    πŸ‘Thumbs up for enlightening your colleagues.

    πŸ‘ŽThumbs down for making the teacher look bad in front of everyone.

    Do the right thing. But also, be nice. Always be nice.
  • 0
    @gosubinit the ppint i wanted to make is that he should at least mention while teaching that the method he is using is not secure at all
  • 0
    @gosubinit some teachers you are allowed to look bad because they are.
  • 0
    @amahlaka
    As long as that was your only intension :)

    I'm just thinking from the teachers perspective here, they came to teach you about SQL, not security. They might not actually understand the aspects of security you do, they mightn't have even heard of hashing. My point is, you don't know, and you risk making them look bad, and while I can understand it would feel good being right, that security should be mentioned, it's not their job to make sure you don't get hacked.

    They're teaching you how to make queries, they're teaching you SQL, and if the course structure just so happens to have separated SQL and security, then they will not teach that, though while I agree a mention would be great, in my personal opinion, it would have been better to keep the thought to your fellow students rather than getting the teacher to, you did the mention, best leave it at that, eh? :)

    That said - it's not black or white, there are truths to each side, keep up the great job ranting! 😁
  • 0
    @coolq it was php class
  • 0
    @amahlaka
    That's not exactly my point :)
  • 0
    Dude... Lol ... I did all my programming courses in University and never heard about sql injection nor design patterns not even a glimpse on what security is. The shit they teach us in these universities is beyond obsolete!
  • 0
    This story is so fake, it makes me cringe
  • 0
    @AI-Overlord because teachers never admit mistakes?
Your Job Suck?
Get a Better Job
Add Comment