Search options

Funny you should mention this just now, I found out that was indeed the case late friday night. The web site was tested on another domain before being deployed and apparently it was not correctly removed: access to the site itself was denied but a direct link to the forum still worked. That would explain why the spam seemed to just drop into the DB and there were no traces of anything in the server logs.

I'm pretty sure the forum will be spam-free now. I'm sorry about everyone's wasted time. I'll now go and kick someone for leaving junk on a web server which wasted several hours of my time as well.

Aww, I didn't know SQL was in such a crappy state still in 2007.

As for another way, wouldn't it be possible to factor all db access into a single function where a query format string (say, something printf-like but less messy) would merged with the query arguments into a final SQL query? The idea is to have a single location where the arguments are escaped so none can be forgotten. It might also make the queries easier to read. Again, I don't do much php (mostly know how it works from perl) so maybe this makes no sense.

As it is now, there are three ways parameters can be handled: $db->escape when building the query, intval which seems to often be applied a little earlier and script-generated values which are never escaped at all. This makes it easy to mix things up and forget an escape.

I guess my point is that SQL injections are not bugs that should be fixed but something that should be designed out of the system, relying as little as possible on the developer being fully awake when he writes the code. :-)

Yes, I upgraded when the spam started coming in but it didn't make a noticeable difference. I checked the IPs but found zero references to them. Unfortunately I've deleted all the spam users since so I can't check again. I even tried to roughly scan the log by date/time for suspicious stuff but couldn't see anything fishy. I'll try to find some time to look again since there was a new spam episode a few days ago (it had been quiet for a week or two). There are no mods that I know of on the forum, it's a plain install with a few stylesheets changed to make it fit in our website.

Sure, drop me an email and I'll point you there.

You're welcome :-) And thanks for actually caring about the issue.

No, no, yes.

That's what I would have considered until I realized it would be pointless if they didn't go through the registration page...

For one thing, there's SQL sprinkled all over the place in the php scripts without systematic (AFAICS) protection against injection. SQL queries built on the fly with user input screams "it's the 90s and security isn't an issue yet". Maybe there's something I don't see (SQL/php isn't really my domain) but it sure doesn't look solid.

Well for one, we didn't get the registration alert emails for the spammers' users. I also implemented a few checks here and there in the register and post scripts and it was clear by looking at the db afterwards that the users/posts had not gone through there. For example, I tried a "minimal first post delay" which was enforced when I manually registered a user but which the spam posts got around like it was a joke (the db often had delays under 10 seconds).

I'd gladly report any SQL inject bug if I only knew how to track it down. Server logs were quite unhelpful; anyone who can inject stuff can obviously fake their IP in the db so it's like looking for a needle in a haystack...

Yes and no. I wouldn't expect most people to be able to come up with some php/SQL to get around spam. And it doesn't really block spam, it simply detects it automatically and hides it.