Smartys wrote:Unfortunately, that's the way it has to be done to support anyone using the mysql extension (as opposed to mysqli) and (I think) the SQLite extension. Prepared statements, stored procedures, etc aren't features that everyone with a PHP install supports, so this is the way it has to be done.
I would disagree with your overall assessment though. User input is properly sanitized (using $db->escape or intval, depending on the type of data) before being put into the query. We're not just accepting any input from $_GET and shoving it into the query.
If you have a suggestion for another way to construct queries, I'd be interested to hear it. 
Aww, I didn't know SQL was in such a crappy state still in 2007.
As for another way, wouldn't it be possible to factor all db access into a single function where a query format string (say, something printf-like but less messy) would merged with the query arguments into a final SQL query? The idea is to have a single location where the arguments are escaped so none can be forgotten. It might also make the queries easier to read. Again, I don't do much php (mostly know how it works from perl) so maybe this makes no sense.
As it is now, there are three ways parameters can be handled: $db->escape when building the query, intval which seems to often be applied a little earlier and script-generated values which are never escaped at all. This makes it easy to mix things up and forget an escape.
I guess my point is that SQL injections are not bugs that should be fixed but something that should be designed out of the system, relying as little as possible on the developer being fully awake when he writes the code. :-)
Smartys wrote:Are you running the latest version (1.2.15)? Have you actually checked the IPs against entries in the access_log? What mods are you using on your forum?
Yes, I upgraded when the spam started coming in but it didn't make a noticeable difference. I checked the IPs but found zero references to them. Unfortunately I've deleted all the spam users since so I can't check again. I even tried to roughly scan the log by date/time for suspicious stuff but couldn't see anything fishy. I'll try to find some time to look again since there was a new spam episode a few days ago (it had been quiet for a week or two). There are no mods that I know of on the forum, it's a plain install with a few stylesheets changed to make it fit in our website.
Smartys wrote:Could you provide a link to your forum? I'd like to investigate this a bit myself.
Sure, drop me an email and I'll point you there.
Smartys wrote:Before I forget to say it, zap, thank you for clarifying your post
You're welcome :-) And thanks for actually caring about the issue.
