Update README.md

[souro1212]

No description provided.

[secure-code-warrior-for-github]

Micro-Learning Topic: SQL injection (Detected by phrase)

Matched on "sqli"

What is this? (2min video)

This is probably one of the two most exploited vulnerabilities in web applications and has led to a number of high profile company breaches. It occurs when an application fails to sanitize or validate input before using it to dynamically construct a statement. An attacker that exploits this vulnerability will be able to gain access to the underlying database and view or modify data without permission.

Try a challenge in Secure Code Warrior

Helpful references

• PHP SQL Injection Page - A detailed page on SQL injection in the online PHP manual.
• OWASP SQL Injection Prevention Cheat Sheet - This article is focused on providing clear, simple, actionable guidance for preventing SQL Injection flaws in your applications.
• OWASP SQL Injection - OWASP community page with comprehensive information about SQL injection, and links to various OWASP resources to help detect or prevent it.
• OWASP Query Parameterization Cheat Sheet - A derivative work of the OWASP SQL Injection Prevention Cheat Sheet focused on SQL query parameterization.
• Preventing SQL Injection Attacks With Python - A tutorial on crafting parameterized queries, SQL composition and safe query execution in Python.

[github-actions]

🔐 Secure Code Review (AI)

Risk Summary: Low (1 High)

1. Finding: Hardcoded Passwords
   • Why it matters: Hardcoding passwords in the source code can lead to unauthorized access if the code is exposed. Attackers can easily retrieve these credentials and gain access to the system.
   • Evidence (diff lines):

     -        ('admin', hash_password('password123')),
     -        ('user1', hash_password('pass1')),
     +        ('admin', hash_password('password124')),
     +        ('user1', hash_password('password1345')),

   • Fix (concrete): Use environment variables or a secure vault to manage sensitive credentials instead of hardcoding them in the source code.

Safeguards Checklist:

• No hardcoded secrets or credentials.
• Use secure methods for storing sensitive information.
• Ensure proper access control measures are in place.

This diff is small and focused, but the hardcoded passwords present a significant risk. Consider reviewing the entire file for additional security concerns related to database initialization and password management.

---

Models can make mistakes. Verify before merging.

[secure-code-warrior-for-github]

Micro-Learning Topic: Hard-coded credential (Detected by phrase)

Matched on "Hardcoded Password"

What is this? (2min video)

This vulnerability occurs when the keys used for performing the encryption are not secured properly. This could be because the keys are hard coded in the app and remain same throughout the application life cycle and for each version installed on different devices. The use of a hard coded cryptographic key tremendously increases the probability that encrypted data may be recovered.

Try a challenge in Secure Code Warrior

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud