Not because beginner guides aren’t useful or good – we all started out with them (and despite the truly insulting title, I find the Dummies line of books to be great introductions, great “beginner’s books”).
It’s because of a small subset of those books – beginner’s books on online programming topics, like PHP, Perl, mySQL, Ajax, Javascript, and so on.
The reason – teaching BEGINNING online programming teaches you just enough to be dangerous to yourself and others!
I can teach you PHP, and I can call it a beginner’s guide – but if I leave out security programming, then I’ve done worse than nothing – I’ve given you just enough details to think you can write safe code – but you can’t, and you will well pay dearly for it.
For example, most beginner’s books talk about getting in form data with a command like this (here in PHP):
$x=$_POST['x'];
Sounds good – but that line holds a huge amount of pain if that’s all the teaching that goes into it:
- Is the result going to be put onto a web page? Then unless it’s displayed properly, it can open a giant security breach on your website.
- Perhaps it’s going into your database? Again, without careful filtering, you could have one of those famous ‘injection attacks’ we hear so much about.
- Or maybe you’ll just make use of it in subsequent code? Fine – as long as you’ll realize that that information can be (and may well be) ANYTHING.
It’s not a minor thing – people online delight in seeing what a form can “take” (I know, I’ve done it too). And there’s some people out there that aren’t just having fun – it’s serious (and illegal) business for them. Crack a site, and there’s a new base of operations for nasty stuff – and YOU pay the price for it.
So to everyone offering “beginner’s guides” for online programming (and you know who you are) – add a solid chapter on security to it. If you don’t, then you’re hurting everyone – by giving beginners a false (and dangerous) sense of accomplishment, and providing the rest of us problems needing to be cleaned up.
