exercises and solutions
Security review exercises
Security review exercises ask learners to identify a trust boundary, name the risk, and choose a safe default. They should review realistic snippets or flows rather than memorise a checklist.
Practical Example
<?php
declare(strict_types=1);
$review = [
'uses prepared statements' => true,
'escapes HTML output' => true,
'checks authorization' => false,
];
foreach ($review as $item => $passed) {
echo ($passed ? '[x] ' : '[ ] ') . $item . PHP_EOL;
}
// Prints:
// [x] uses prepared statements
// [x] escapes HTML output
// [ ] checks authorization
Security review exercises should ask learners to spot a missing control, explain the risk, and change the smallest amount of code needed to close the gap.
Cover HTML output, SQL, authentication, authorisation, CSRF, uploads, file paths, secrets, logging, and outbound requests across the exercise set.
Practice
Review An Unsafe Search Page
Review a search page that interpolates $_GET['q'] into SQL and echoes the same value into HTML. Name the risks and required fixes.
Show solution
Do not describe this as one generic sanitisation step. SQL parameters and HTML escaping protect different output contexts.
Review An Unsafe Download Route
Review a route that reads $_GET['file'] and passes it directly to file_get_contents(). Explain the risks and design a safer download boundary.
Show solution
The route risks path traversal and unintended file disclosure. Do not join an untrusted filename directly to a filesystem path. Load an authorised file record by application ID, check that the current user may access it, and resolve storage through controlled server-side metadata.
Keep private files outside the public document root and send a controlled download response.