# Chapter 1: Introduction to Secure Programming
## Simple Examples and Exercises

### Course: TCPRG4005 - Secure Programming

---

## Learning Objectives

1. **Understand** that all software has bugs
2. **Practice** basic input validation
3. **Compare** vulnerable vs. secure code
4. **Apply** simple security checks

---

## Key Principles

> **"All software has bugs and exploits"**

> **"Security is not an add-on feature"**

Let's explore these concepts with simple Python examples!

In [None]:
# Simple setup for security examples
import re
import hashlib

print("🔒 Chapter 1: Security Fundamentals")
print("Simple examples to demonstrate security concepts")
print("=" * 40)

# Example 1: Input Validation

Input validation is a fundamental security practice. Let's see the difference between vulnerable and secure code.

## Exercise: Password Validation
Create a simple password checker that demonstrates basic security principles.

In [None]:
# ⚠️ VULNERABLE PASSWORD CHECKER - DON'T USE THIS!
def bad_password_check(password):
    """This function has security problems"""
    
    # Problem 1: No length check
    if len(password) > 0:
        print("Password accepted!")
        return True
    else:
        print("Password rejected!")
        return False

# Test the vulnerable version
print("Testing vulnerable password checker:")
bad_password_check("a")        # Too short but accepted!
bad_password_check("123")      # Weak but accepted!
bad_password_check("")         # Empty and rejected

In [None]:
# ✅ SECURE PASSWORD CHECKER - BETTER VERSION
def secure_password_check(password):
    """This function includes basic security checks"""
    
    # Check minimum length
    if len(password) < 8:
        print("❌ Password too short (minimum 8 characters)")
        return False
    
    # Check for numbers
    if not re.search(r'\d', password):
        print("❌ Password must contain at least one number")
        return False
    
    # Check for letters
    if not re.search(r'[a-zA-Z]', password):
        print("❌ Password must contain at least one letter")
        return False
    
    print("✅ Password accepted!")
    return True

# Test the secure version
print("\nTesting secure password checker:")
secure_password_check("a")           # Too short
secure_password_check("12345678")    # No letters
secure_password_check("abcdefgh")    # No numbers
secure_password_check("abc12345")    # Good password!

# Example 2: Secure Hashing

Never store passwords in plain text! Let's see how to hash passwords properly.

In [None]:
# ⚠️ BAD: Storing password as plain text
def bad_store_password(username, password):
    """DON'T DO THIS - stores password in plain text"""
    print(f"Storing for {username}: {password}")  # Visible in logs!
    return password

# ✅ BETTER: Hash the password
def secure_store_password(username, password):
    """Better approach - hash the password"""
    # Add salt to prevent rainbow table attacks
    salt = "random_salt_123"  # In real code, use a random salt per user
    salted_password = password + salt
    
    # Hash the salted password
    password_hash = hashlib.sha256(salted_password.encode()).hexdigest()
    
    print(f"Storing for {username}: {password_hash[:20]}...")  # Only show part of hash
    return password_hash

# Compare the two approaches
print("Bad approach:")
bad_store_password("alice", "mypassword123")

print("\nSecure approach:")
secure_store_password("alice", "mypassword123")

In [None]:
# Example 3: Input Validation for User Data

# ⚠️ DANGEROUS: No input validation
def dangerous_greeting(name):
    """Accepts any input without validation"""
    print(f"Hello, {name}!")
    return f"Hello, {name}!"

# ✅ SAFER: Basic input validation
def safe_greeting(name):
    """Validates input before using it"""
    # Check if name is a string and not empty
    if not isinstance(name, str):
        print("❌ Name must be a string")
        return None
    
    if len(name.strip()) == 0:
        print("❌ Name cannot be empty")
        return None
    
    if len(name) > 50:
        print("❌ Name too long (max 50 characters)")
        return None
    
    # Remove potentially dangerous characters
    clean_name = re.sub(r'[<>"\']', '', name)
    print(f"✅ Hello, {clean_name}!")
    return f"Hello, {clean_name}!"

# Test both approaches
print("Testing input validation:")
dangerous_greeting("<script>alert('hack')</script>")  # Dangerous input!
safe_greeting("<script>alert('hack')</script>")       # Safely handled

In [None]:
# Exercise 1: Try the examples above with different inputs
print("Try testing the functions with these inputs:")
print("1. Empty string: ''")
print("2. Very long string: 'a' * 100")
print("3. Special characters: '<test>'")
print("4. Numbers: 12345")

# Test it yourself:
test_inputs = ["", "a" * 100, "<test>", "normal_name"]

for test_input in test_inputs:
    print(f"\nTesting: {repr(test_input)}")
    safe_greeting(test_input)

# Key Security Lessons from Examples

## What we learned:

1. **Input Validation**: Always check user input before using it
2. **Password Security**: Never store passwords in plain text
3. **Data Sanitization**: Remove dangerous characters from input
4. **Length Limits**: Prevent excessively long input
5. **Type Checking**: Ensure data is the expected type

## Remember: Security is about building good habits!

In [None]:
# Chapter 1 Exercises - Try these yourself!

def exercise_1():
    """
    Exercise 1: Create a simple email validator
    Write a function that checks if an email address is valid
    """
    print("Exercise 1: Email Validation")
    print("Write a function to validate email addresses")
    print("Requirements:")
    print("- Must contain exactly one @ symbol")
    print("- Must have text before and after @")
    print("- Must end with a valid domain (.com, .org, .edu)")
    
    # YOUR CODE HERE
    # def validate_email(email):
    #     # Add your validation logic
    #     return True/False

exercise_1()

# Exercise 2: Security Code Review

Look at this code and identify the security problems:

In [None]:
# Can you spot the security problems in this code?

def login_system(username, password):
    """A simple login system - but is it secure?"""
    
    # Store all passwords in a list (is this safe?)
    users = {
        "admin": "password123",      # Problem 1: ?
        "user": "abc",               # Problem 2: ?
        "guest": ""                  # Problem 3: ?
    }
    
    # Check if user exists
    if username in users:
        if password == users[username]:
            print(f"Welcome {username}!")
            return True
        else:
            print(f"Wrong password for {username}")  # Problem 4: ?
            return False
    else:
        print("User not found")
        return False

# Test the system
print("Testing the login system:")
login_system("admin", "password123")
login_system("admin", "wrongpass")
login_system("nonuser", "test")

print("\nCan you identify 4+ security problems with this code?")
print("Think about: password storage, password strength, information leakage...")

In [None]:
# Chapter 1 Conclusion

## What We Learned:

✅ **All software has bugs** - accept this reality and plan for it

✅ **Security is not an add-on** - it must be built in from the start

✅ **Simple validation matters** - basic checks prevent many problems

✅ **Good habits compound** - small security practices add up

## Next Steps:

1. Practice the exercises above
2. Review your own code for security issues
3. Start building security into your development process

## Remember:
> *"Security is a journey, not a destination"*