๐ป Code Vulnerability Examples and Fixes by Language
Intro: Engineers usually learn secure coding faster when they can compare a vulnerable snippet with a corrected one and see the business impact in plain language. This landing page groups those examples by language so reviewers, champions, and developers can jump straight to the stack they use.
What this page includes
- vulnerable versus safer code patterns;
- short explanations of the defect class;
- likely business impact;
- review prompts you can turn into PR comments, training, or release criteria.
Start here
| Language / page | Best use |
|---|---|
| PHP Vulnerability Examples and Fixes | legacy and modern PHP service reviews, upload handling, and unsafe shell usage |
| Python Vulnerability Examples and Fixes | Django / Flask / FastAPI teams, data handlers, CLI helpers, worker code |
| Go Vulnerability Examples and Fixes | API and infrastructure service teams using net/http and database/sql |
| Java Vulnerability Examples and Fixes | Spring, servlet, and JVM platform reviews with XML, authz, and deserialization risk |
| JavaScript Vulnerability Examples and Fixes | Node/Express and browser-heavy applications |
| TypeScript Vulnerability Examples and Fixes | typed backend/frontend teams, React, Express, Prisma, and modern APIs |
| SQL Vulnerability Examples and Fixes | stored procedures, reporting queries, row filters, and database privilege review |
How to use these pages
Use the examples in four modes:
- PR review aid โ copy the review cues directly into code review comments.
- champion training โ use one example at a time in short learning sessions.
- release criteria design โ convert repeated mistakes into linting, tests, or guardrails.
- post-incident learning โ map real findings back to recurring code patterns.
Editorial rules used here
- examples are intentionally small and readable rather than framework-perfect;
- corrected versions show a safer direction, not a claim of perfect security in isolation;
- examples focus on root causes and design habits, not exploit walkthroughs;
- business impact is written for engineering leaders as well as developers.
High-signal defect families covered
- injection and unsafe query construction;
- broken object-level authorization and server-side trust mistakes;
- path traversal and unsafe file handling;
- XSS and unsafe rendering;
- SSRF and outbound-request abuse;
- unsafe deserialization and parser misuse;
- command execution through shell interpolation;
- privilege and data-scope mistakes in SQL.
Turn these pages into training
Use the companion pack when you want to turn these examples into structured practice instead of passive reading:
- Secure Coding Review Labs and Language-Specific Checklists
- Secure Coding Review Labs โ Facilitator Guide
- Language-Specific Secure Coding Review Checklists
- Secure Coding Review Lab Scenarios by Language
Use with
- Stack-Specific Review Checklists and Release Criteria
- Backend Service Security Guides by Stack
- Web Application Security Review and Architecture Playbook
- OWASP ZAP Practical Tuning and Report Analysis
- Security Quality Gates and Release Blocking
Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.