# Secure Coding Review Lab Scenarios by Language

> **Use this page when:** you want ready-to-run exercises that convert the KB’s vulnerable/safer snippets into practice.

## How to use these scenarios

For each lab:

1. show only the vulnerable snippet first;
2. ask participants to identify the defect class;
3. ask for likely business impact;
4. ask for the minimum safe fix direction;
5. compare with the linked example page.

## PHP scenarios

### PHP Lab 1 — concatenated login query

* defect family: injection;
* prompt: which user-controlled value changes the meaning of the query?
* follow-up: what would you require in PR review before merge?
* compare with: [PHP Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/php-vulnerability-examples-and-fixes.md)

### PHP Lab 2 — unsafe upload to public path

* defect family: unsafe file handling;
* prompt: what attacker goals become possible if the upload lands under a served path?
* follow-up: what retrieval architecture would you prefer instead?
* compare with: [PHP Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/php-vulnerability-examples-and-fixes.md)

## Python scenarios

### Python Lab 1 — shell command built from request data

* defect family: command execution;
* prompt: could a safer design avoid the shell entirely?
* follow-up: where should validation happen if this becomes a worker job later?
* compare with: [Python Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/python-vulnerability-examples-and-fixes.md)

### Python Lab 2 — IDOR in record lookup

* defect family: broken object-level authorization;
* prompt: what ownership proof is missing?
* follow-up: should this be enforced in the query, service layer, or both?
* compare with: [Python Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/python-vulnerability-examples-and-fixes.md)

## Go scenarios

### Go Lab 1 — direct row fetch by object id

* defect family: object authorization;
* prompt: what does the handler assume about the caller that it has not proven?
* compare with: [Go Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/golang-vulnerability-examples-and-fixes.md)

### Go Lab 2 — outbound fetch from untrusted URL

* defect family: SSRF;
* prompt: what internal assets could this reach in a cloud-native service?
* compare with: [Go Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/golang-vulnerability-examples-and-fixes.md)

## Java scenarios

### Java Lab 1 — unsafe XML / parser configuration

* defect family: parser misuse;
* prompt: what could an attacker force the parser to do that the developer did not intend?
* compare with: [Java Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/java-vulnerability-examples-and-fixes.md)

### Java Lab 2 — unsafe object deserialization or trust in serialized input

* defect family: deserialization;
* prompt: is deserialization needed at all, and where is the trust boundary?
* compare with: [Java Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/java-vulnerability-examples-and-fixes.md)

## JavaScript scenarios

### JavaScript Lab 1 — reflected XSS in templated output

* defect family: XSS;
* prompt: what rendering context are we actually in?
* compare with: [JavaScript Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/javascript-vulnerability-examples-and-fixes.md)

### JavaScript Lab 2 — dangerous redirect or URL fetch

* defect family: open redirect / SSRF-adjacent trust bug;
* prompt: which destinations should be impossible here?
* compare with: [JavaScript Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/javascript-vulnerability-examples-and-fixes.md)

## TypeScript scenarios

### TypeScript Lab 1 — runtime trust hidden behind types

* defect family: input validation gap;
* prompt: what does the type system make look safe that is still unsafe at runtime?
* compare with: [TypeScript Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/typescript-vulnerability-examples-and-fixes.md)

### TypeScript Lab 2 — typed ORM query with missing tenant scope

* defect family: authz / data-scope bug;
* prompt: how would you prove isolation here?
* compare with: [TypeScript Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/typescript-vulnerability-examples-and-fixes.md)

## SQL scenarios

### SQL Lab 1 — dynamic ORDER BY / filter abuse

* defect family: query manipulation;
* prompt: which parts of the statement can safely be dynamic and how should they be constrained?
* compare with: [SQL Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/sql-vulnerability-examples-and-fixes.md)

### SQL Lab 2 — missing tenant predicate in reporting query

* defect family: data-scope failure;
* prompt: should the safety property live in the view, procedure, or application query?
* compare with: [SQL Vulnerability Examples and Fixes](/application-security-and-secure-sdlc/index-4/sql-vulnerability-examples-and-fixes.md)

## Facilitator close-out template

End each lab with three outputs:

* one review comment the team would actually write;
* one safer coding rule for that stack;
* one prevention mechanism (test, lint rule, framework helper, or gate).

## Use with

* [Secure Coding Review Labs — Facilitator Guide](/application-security-and-secure-sdlc/index-4/secure-coding-review-labs-facilitator-guide.md)
* [Language-Specific Secure Coding Review Checklists](/application-security-and-secure-sdlc/index-4/language-specific-secure-coding-review-checklists.md)
* [Code Vulnerability Examples and Fixes by Language](/application-security-and-secure-sdlc/index-4/code-vulnerability-examples-and-fixes-by-language.md)

***

*Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.product-security.expert/application-security-and-secure-sdlc/index-4/secure-coding-review-lab-scenarios-by-language.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.