Here are the side-by-side vulnerable vs secure patterns for each of the PHP, Node.js, Java EE, Flask technology. I’ll show you:
- 🔴 Vulnerable pattern (source level)
- ✅ Secure alternative (with library/framework fix)
- 🛠Explanation (low-level reason why secure)
🟥 PHP – Vulnerable vs Secure
- SQL Injection
// 🔴 Vulnerable
$id = $_GET['id'];
$result = mysqli_query($conn, "SELECT * FROM users WHERE id = $id");
// ✅ Secure
$stmt = $conn->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("i", $_GET['id']);
$stmt->execute();
🛠Prepared statements keep SQL and data separate at the C API level (mysql_stmt_execute).
- XSS
// 🔴 Vulnerable
echo "Welcome " . $_GET['name'];
// ✅ Secure
echo "Welcome " . htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');
🛠htmlspecialchars() escapes <, >, ", preventing browser from executing injected JS.
- File Inclusion
// 🔴 Vulnerable
include($_GET['page'] . ".php");
// ✅ Secure
$whitelist = ["home", "about"];
if (in_array($_GET['page'], $whitelist)) {
include($_GET['page'] . ".php");
}
🛠Whitelisting avoids attacker-controlled filesystem access.
- Unrestricted Upload
// 🔴 Vulnerable
move_uploaded_file($_FILES['file']['tmp_name'], "uploads/" . $_FILES['file']['name']);
// ✅ Secure
$ext = pathinfo($_FILES['file']['name'], PATHINFO_EXTENSION);
if (!in_array($ext, ["jpg","png"])) exit("Invalid file");
move_uploaded_file($_FILES['file']['tmp_name'], "uploads/" . basename($_FILES['file']['name']));
🛠Ensures only safe extensions, strips path.
- Command Injection
// 🔴 Vulnerable
system("ping " . $_GET['host']);
// ✅ Secure
$host = escapeshellarg($_GET['host']);
system("ping " . $host);
🛠escapeshellarg() quotes input before shell expansion.
- Weak Hash
// 🔴 Vulnerable
$hash = md5($password);
// ✅ Secure
$hash = password_hash($password, PASSWORD_BCRYPT);
🛠password_hash() uses bcrypt/argon2 under crypt().
- Session Fixation
// 🔴 Vulnerable
session_id($_GET['sid']);
session_start();
// ✅ Secure
session_start();
session_regenerate_id(true);
🛠session_regenerate_id() prevents reuse of attacker-supplied IDs.
- Unserialize RCE
// 🔴 Vulnerable
$obj = unserialize($_POST['data']);
// ✅ Secure
$obj = json_decode($_POST['data'], true);
🛠JSON parsing does not trigger PHP magic methods (__wakeup).
- IDOR
// 🔴 Vulnerable
$file = "uploads/" . $_GET['file'];
readfile($file);
// ✅ Secure
if (userOwnsFile($_SESSION['uid'], $_GET['file'])) {
readfile("uploads/" . $_GET['file']);
}
🛠Access control tied to session owner.
- Header Injection
// 🔴 Vulnerable
header("Location: " . $_GET['url']);
// ✅ Secure
$url = filter_var($_GET['url'], FILTER_VALIDATE_URL);
header("Location: " . $url);
🛠Validation blocks CRLF injection.
🟩 Node.js – Vulnerable vs Secure
- Eval Injection
// 🔴 Vulnerable
eval(req.query.code);
// ✅ Secure
vm.runInNewContext(req.query.code, {}, { timeout: 1000 });
🛠vm sandbox isolates execution.
- Prototype Pollution
// 🔴 Vulnerable
Object.assign(obj, JSON.parse(req.body.data));
// ✅ Secure
const safe = JSON.parse(req.body.data, (k,v) => k === "__proto__" ? undefined : v);
Object.assign(obj, safe);
🛠Filters dangerous prototype keys.
- NoSQL Injection
// 🔴 Vulnerable
User.findOne({ username: req.body.username });
// ✅ Secure
User.findOne({ username: String(req.body.username) });
🛠Casting to string prevents $ne operators.
- Command Injection
// 🔴 Vulnerable
exec("ls " + req.query.dir);
// ✅ Secure
execFile("ls", [req.query.dir]);
🛠execFile() passes args directly to syscall, no shell parsing.
- Path Traversal
// 🔴 Vulnerable
res.sendFile(__dirname + "/files/" + req.query.file);
// ✅ Secure
res.sendFile(path.join(__dirname, "files", path.basename(req.query.file)));
🛠Normalizes to prevent ../.
- Insecure Cookie
// 🔴 Vulnerable
res.cookie("sid", sid);
// ✅ Secure
res.cookie("sid", sid, { httpOnly: true, secure: true, sameSite: "Strict" });
🛠Flags prevent JS access, CSRF.
- Insecure Deserialization
// 🔴 Vulnerable
let data = JSON.parse(req.body);
// ✅ Secure
let data = safeJsonParse(req.body);
🛠Use a hardened parser, validate schema.
- Regex DoS
// 🔴 Vulnerable
/(a+)+$/.test(req.query.input);
// ✅ Secure
new RegExp("^[a-z]{1,30}$").test(req.query.input);
🛠Bounded regex avoids catastrophic backtracking.
- CORS Misconfig
// 🔴 Vulnerable
res.setHeader("Access-Control-Allow-Origin", "*");
// ✅ Secure
res.setHeader("Access-Control-Allow-Origin", "https://trusted.com");
🛠Restricts cross-origin access.
- XSS
// 🔴 Vulnerable
res.send("Hello " + req.query.name);
// ✅ Secure
res.send("Hello " + escapeHtml(req.query.name));
🛠Escape user input before HTML context.
🟨 Java EE – Vulnerable vs Secure
- SQL Injection
// 🔴 Vulnerable
stmt.executeQuery("SELECT * FROM users WHERE id=" + request.getParameter("id"));
// ✅ Secure
PreparedStatement ps = conn.prepareStatement("SELECT * FROM users WHERE id=?");
ps.setInt(1, Integer.parseInt(request.getParameter("id")));
- XSS
// 🔴 Vulnerable
out.println(request.getParameter("name"));
// ✅ Secure
out.println(StringEscapeUtils.escapeHtml4(request.getParameter("name")));
- LDAP Injection
// 🔴 Vulnerable
String filter = "(uid=" + request.getParameter("user") + ")";
// ✅ Secure
String filter = "(uid={0})";
SearchControls sc = new SearchControls();
ctx.search("ou=users,dc=example,dc=com", filter, new Object[]{request.getParameter("user")}, sc);
- Deserialization
// 🔴 Vulnerable
Object obj = new ObjectInputStream(request.getInputStream()).readObject();
// ✅ Secure
ObjectMapper mapper = new ObjectMapper();
User user = mapper.readValue(request.getInputStream(), User.class);
- Command Injection
// 🔴 Vulnerable
Runtime.getRuntime().exec("ping " + request.getParameter("host"));
// ✅ Secure
ProcessBuilder pb = new ProcessBuilder("ping", request.getParameter("host"));
- Path Traversal
// 🔴 Vulnerable
File f = new File("/data/" + request.getParameter("file"));
// ✅ Secure
File f = new File("/data/", Paths.get(request.getParameter("file")).getFileName().toString());
- Weak Crypto
// 🔴 Vulnerable
MessageDigest md = MessageDigest.getInstance("MD5");
// ✅ Secure
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
- Session Fixation
// 🔴 Vulnerable
String sid = request.getParameter("JSESSIONID");
// ✅ Secure
request.getSession().invalidate();
request.getSession(true);
- Open Redirect
// 🔴 Vulnerable
response.sendRedirect(request.getParameter("url"));
// ✅ Secure
if (request.getParameter("url").startsWith("/app")) {
response.sendRedirect(request.getParameter("url"));
}
- XXE
// 🔴 Vulnerable
dbf.newDocumentBuilder().parse(uploadedXML);
// ✅ Secure
dbf.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
🟦 Python Flask – Vulnerable vs Secure
- SQL Injection
# 🔴 Vulnerable
db.execute("SELECT * FROM users WHERE id=" + request.args['id'])
# ✅ Secure
db.execute("SELECT * FROM users WHERE id=?", (request.args['id'],))
- XSS
# 🔴 Vulnerable
return f"Welcome {request.args['name']}"
# ✅ Secure
return render_template("welcome.html", name=request.args['name'])
(Flask Jinja2 auto-escapes by default)
- Command Injection
# 🔴 Vulnerable
os.system("ping " + request.args['host'])
# ✅ Secure
subprocess.run(["ping", request.args['host']])
- Path Traversal
# 🔴 Vulnerable
send_file("uploads/" + request.args['file'])
# ✅ Secure
send_from_directory("uploads", os.path.basename(request.args['file']))
- Pickle RCE
# 🔴 Vulnerable
pickle.loads(request.data)
# ✅ Secure
json.loads(request.data)
- Hardcoded Secret
# 🔴 Vulnerable
app.config['SECRET_KEY'] = "12345"
# ✅ Secure
app.config['SECRET_KEY'] = os.environ['SECRET_KEY']
- CSRF Missing
# 🔴 Vulnerable
@app.route("/transfer", methods=["POST"])
def transfer(): ...
# ✅ Secure
csrf = CSRFProtect(app)
- Debug Mode
# 🔴 Vulnerable
app.run(debug=True)
# ✅ Secure
app.run(debug=False)
- Weak Password Hash
# 🔴 Vulnerable
hashlib.md5(password.encode()).hexdigest()
# ✅ Secure
bcrypt.hashpw(password.encode(), bcrypt.gensalt())
- CORS Misconfig
# 🔴 Vulnerable
CORS(app, resources={r"/*": {"origins": "*"}})
# ✅ Secure
CORS(app, resources={r"/api/*": {"origins": "https://trusted.com"}})
👉 That gives you 40 vulnerable patterns with secure fixes across PHP, Node.js, Java EE, and Flask.