Project Feedback!

[codepathreview]

Hello lei,

👍 Nice work! In order to learn web security, we have to learn the basics of web development. Because web development isn't the goal of this course, everyone will receive the same UI score, so you can focus on the security aspects of the course.

We're using PHP because Facebook is sponsoring this course, but it's also the easiest framework to demonstrate some of these security issues. PHP without a framework is very similar to Sinatra (Ruby) or Flask (Python), which are two very popular barebones web frameworks. Modern PHP with a framework is very similar to Rails and Django. All of the tasks in the weekly projects are very similar and applicable to what you would need to do in Ruby or Python.

The purpose of this assignment was to explore the following concepts:

• Setting up a database table.
• Handling GET vs POST requests.
• Doing server-side form validation.
• Displaying form errors.

To evaluate your understanding this week, you should try to answer the following questions:

• How are form values sent to the URL in the form action?
• How can PHP access form values?
• How do you interpolate a variable into a string in PHP?
• What sanitization does PHP do automatically?
• When using PHP's mysqli_connect() to connect to MySQL, what gets returned?
• What does mysqli_fetch_assoc() do besides return a row of data?
• What happens if a loop's condition is never met?
• Why is it a good practice to use "LIMIT 1" when updating a MySQL record?
• What types of problems could arise if all validations were removed?
• Why should form attributes still be assigned values if a form has errors?
• What potential problem would the last name "D'Angelo" create for the database?

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.

[codepathreview]

Hello lei. 👍 Nice work! Now that we've been exploring XSS and SQL injection attacks, hopefully you have more appreciation for the other side of things, which is sanitizing input and output to defend against these attacks. Even though these attacks have existed in the web for many years, it's still incredibly easy to introduce these vulnerabilities, even when using all the latest web frameworks.

Check out recent reported XSS vulnerabilities here. As you can see, there have been over 2 dozen found just in the first few months of 2017 in major brands such as Wordpress, Adobe, Cisco, and Steam.

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.

[codepathreview]

:+1: Nice work! You have learned to prevent the most critical web development vulnerabilities. These are far from the only pitfalls in web development, but they are the most commonly exploited. Through them, you should also have a broad understanding of the types of targets hackers choose and the techniques used to exploit them. Other exploits are similar and often involve small variations on these vulnerabilities.

Make sure you have a firm grasp on the following concepts. You should be able to describe in words to someone else how each vulnerability could be exploited, why hackers would want to exploit it, and how to prevent it.

• Cross-Site Scripting
• SQL Injection
• Cross-Site Request Forgery
• Cookie Theft and Manipulation
• Session Hijacking
• Session Fixation

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.

[codepathreview]

Hello Iei,

Looks like you are missing some of the required user stories: Objective 8 - "identification of double agent". Once you've completed the requirements, please push your updates, update your README, update your gif and submit your assignment again so we can regrade it.

Whenever you make updates to your project that require re-grading, you need to re-submit your project using the submit button on the associated assignment page in the course portal. This will flag your project as “updated” on our end and we know to re-grade.

You should re-submit your assignment anytime you:

• Update a previously incomplete assignment
• Add optional and additional features to an already completed assignment

[codepathreview]

Hello Iei,

:+1: Nice work! User authentication has become a standard feature of almost every modern web application. But knowing how to authenticate is not enough, developers must know the common security pitfalls and how to avoid them.

Key points to remember:

• Always encrypt passwords before storing them!
• Require users to choose strong passwords (long, diverse characters).
• Use a secure password algorithm, like Blowfish/Bcrypt.
• Salts are added to passwords to make them unique and harder to crack.
• Log in throttling makes brute force attacks and password guessing ineffective.
• Do not accidentally reveal which usernames exist. (Username enumeration)

If you have any particular questions about the assignment or the feedback, email us at universitysupport@codepath.com.