Back when I was a kid, there was a lot of talk about website defacement.

Y'know, when someone would break into some high-profile site and replace it with some message about how "xXwhateverXx Waz Hear".

Now, this was in the golden age of Wordpress¹, so the only thing really keeping anyone out was...²

Now, there are ways to harden this.³

• Rate-limiting.
• Better password hashes.
• Longer, more complex passwords.
• Something about correctly reminiscing about horses and battery staples.
• Password managers.
• Two-factor authentication.⁴
• Passkeys.
• Making it someone else's problem.

But... does our public webpage need all this stuff at all? Can't we just... remove the admin interface completely?

No online page editor (we can run that as a separate local application anyway..), no "upload this plugin to install"⁵, no account system at all.

Genius! Why hadn't anyone thought of that before?⁶

So I ran off to SourceForge⁷ to register the project. I remember the pure excitement I felt, seeing the email a few days later that it had been approved.⁸

Well then. No excuses left, time to write some PHP!⁹ Showing one page is easy enough..¹⁰

<?php
$cursor = mysql_query("SELECT content FROM pages");
$row = mysql_fetch_assoc($cursor);
echo $row['content'];

Well, that was simple!¹¹

But what about subpages? Fancy custom URLs like /my/cool/subpage are a bit trickier in PHP, but /?page=1234 is just a $_GET away!

<?php
$page = isset($_GET['page']) ? $_GET['page'] : 1;
$cursor = mysql_query("SELECT content FROM pages WHERE id=$page");
$row = mysql_fetch_assoc($cursor);
echo $row['content'];

Close enough, and simple enough to be invulnerable!¹² We're done here, time for mellis.

...okay, you might see where this is going. A while later, I saw something concerning.

A CVE¹³? For my toy project?!
It's kind of funny, there's this.. intense sense of dread about the situation ("Oh $DEITY, what did I fuck up?!"). But to child me there was also a surprise that there was someone out there. That someone was paying attention to the thing that I had built. That.. it mattered, in some faint way.¹⁴

But back to the issue at hand.. What was the actual problem? A visit from Li'l Bobby Tables.

The code assumes that ?page=1 is a number, but.. It's just text. It could be anything. And the database would have no idea what part was the query, and what was the (untrusted) data. It could be /?page=1 OR 1=1. Which would get spliced into the database query, returning some arbitrary page at random. Or it could modify the database somehow, or return something more sensitive.

I think the big takeaway here is that.. I had decided that it shouldn't do the dangerous thing.¹⁵ But hubris led me to think that that was it. That I had the one brilliant idea that had Solved™ the security of the whole application.

I hadn't thought properly about how to constrain it, how to prevent it from how to end up accidentally doing the bad thing anyway.

I should have used a prepared statement. Or escaped it. Or made sure that it actually was a number, and nothing else. I should have made sure to run it as an unprivileged database user, with no permission to modify things anyway.¹⁶

But I didn't know that. Didn't know that I should look for that. Because I was Secure™.

At least, when I hear people today talking about how Secure™ they are.. I can't help but think back to 12-year-old me. And how Secure™ she "was".

Because security isn't one magic trick. It's a process. And it's learning how to learn, and what to learn. And we could all use some humble pie on a regular basis.