The READIN Family Album
Me and a lorikeet (February 24, 2008)

READIN

Jeremy's journal

We say to the apathetic, Where there's a will, there's a way, as if the brute realities of the world did not amuse themselves each day by turning that phrase on its head.

José Saramago


(This is a page from my archives)
Front page
More recent posts
Older posts
More posts about:
The site
Programming Projects
Projects
Programming

Archives index
Subscribe to RSS

This page renders best in Firefox (or Safari, or Chrome)

🦋 Passed the first test

So in my log I see a bunch of requests today for

GET blog/?k=<keyword> \'\'
and(char(94)+user+char(94))>0 and 
\'\'\'\'=\'\'

where <keyword> is one of the keywords that links exist to on the site; and also I see that my script translated those requests to

<keyword> \\\'\\\' 
and(char(94)+user+char(94))>0 and 
\\\'\\\'\\\'\\\'=\\\'\\\'
before passing them to the database. So the queries just returned empty sets instead of wreaking whatever havoc they might have wruck unescaped. Yay PHP! Yay careful programming!

(Note: but while editing this post I realized there is a different kind of escaping that you have to do when you are writing to forms -- the < and > signs were translating to markup in my inputs. Funny I never ran into that problem on the old site, you wouldn't think it would be a PHP-vs.-ASP distinction.)

Update: So what do I have to do to ban these guys from my site? I tried putting the following in my httpd.conf:

<Directory (path to root of my site)> order allow,deny deny from (IP) deny from (IP) allow from all </Directory>
and restarting the service, but that does not seem to have done it.

Another Update: I think I got it: the Directory directive in apache2/sites-available/default is overriding the directive in httpd.conf because httpd.conf is included first. I think I just need to take the default directive out.

posted evening of Friday, October 12th, 2007
➳ More posts about The site
➳ More posts about Programming Projects
➳ More posts about Projects
➳ More posts about Programming

Respond:

Name:
E-mail:
(will not be displayed)
Link:
Remember info

Drop me a line! or, sign my Guestbook.
    •
Check out Ellen's writing at Patch.com.

Where to go from here...

Friends and Family
Programming
Texts
Music
Woodworking
Comix
Blogs
South Orange
readinsinglepost