Desiderius Price

40940 🧨

40938

You had it right, SQL Injection Attack. The mitigation basically requires a website rewrite, therefore it’ll take time given Manta’s still needs to work her day job.

You’ll likely have to wait. AFF suffered an attack last month and it was locked into read-only access. Manta, the coder, is doing her level best to rewrite the code so it won’t be vulnerable to that sort of attack, but this isn’t a fast process. Some parts of the archive are available as features are finished, green was the hint.

40928

40926

@WillowDarkling While I don’t know the details of this website’s code, I did try my hand at PHP & SQL & Web ages ago, so that’s enough to handle the more generic questions, relieve Manta of that extra burden. I can also try barking at those not leaving her the space needed to get it done?

40924

40922

40918

40916

40912

Me too in sending good vibes.

40910

With software, it can be counter productive to toss more people at it (ie too many cooks in the kitchen). Manta would suddenly become a manager, having to get them up to speed, coach, etc; that’d take her away from actually fixing the issue. If we were already trained, worked well together, then yes, using us might make it go faster. Better to step back and make sure she’s not too stressed out.

40908

Thanks, figured I’d try it and needed the guidance. Placement seems a bit on the cryptic side.

Long time coder myself, which is why I can sympathize/empathize with you Manta! When I played around with PHP/SQL/Web, think it was PHP-4/5? – enough to give me an idea of what you’re up to.

Psst… suggest not pinging and interrupting the coder unless you’ve found a bug in the new stuff. And even then, maybe have a single topic/thread to record them so she can deal with it one at a time?

Such a vulnerability would’ve existed since the PHP scripts were first written, and obviously became a problem once that scammy scammer decided to exploit it. That’s as far as I’ll speculate about it.

Well, SQL is the code that databases understand. Anyways, when in a rush or inexperienced or prototyping, the PHP website will take user input, directly make it part of the code that it sends to the database. Now, SQL injection is a user crafting input that isn’t a simple thing like “erotica”, instead they make it funny so instead of a simple “get data” SQL statement, it becomes a “SQL do-this-other-thing” which can be to modify the database, get more than they’re supposed to, etc. A solid fix is not make it part of the SQL, instead treating it as pure data, using the parameter-based SQL which avoids the injection issue. – That’s me trying to make it simple. Here’s a web-comic about it. https://xkcd.com/327/

Given the nature of the issue (SQL Injection), a fair chunk of the website’s PHP script SQL bindings have to be rewritten, parameterizing and seriously sanitizing all user input. Typos will happen, part of the process, I’m afraid.

See the posts/updates from manta2g. “Green” is supposed to be the key though to what’s been vetted.

40906