Archive for myfreeforum.org Before posting please check the "stickies" in the support forums.
Please ask questions in real English and not "txt". You will get a better response.
Please do not ask support questions via PMs.
 


       myfreeforum.org Forum Index -> Off Topic
CodyT07

Knowledge really is power.

As most of you already know I am on the WebSite updating team at my school. Going into this class I have a fair understanding of
Php (though the site is in ASP)
Some Visual Basic
Some C++
Lots of HTML
Some CSS, enough to get me by.
SQL problem solving skills (how to find what is being called from what table without looking at code)
and a few other things (except spelling, I usually misspell a lot of words cause I get to typing way to fast on articles, look at it today as I misspelled (Symon look away!) 'Soccer' as 'Socer'    (might be fixed when you guys look at it) its on the right column in Sports Articles.

And everyone else on that team only know how to use our program to update the site. Which is kind of a bummer as the program is limited right now in terms of what it can do. So sometimes I have to manually insert HTML code into a SQL database to maybe put an image in an article. Nothing hard BUT I'm the only one that knows how to do it.....
Being 6 weeks in this class I quickly learned
Image Editing (Macromedia Fireworks)
and
C#

As here is my job title in the class
Some Sports Articles (interviews and fun stuff)
Club updater
Custom HTML adder
Database editor (reminds me I need to fix the program)
New features to the program -Adder
Flash script editor (for countdowns to breaks)

Everyone else
2 image makers (one makes it but never uploads it)
Soccer Coach assistant (The teacher is an assistant Soccer coach so he lets students help the main soccer coach)
4 people who occasionally add things.

Most people would be mad if they are in my shows but I am actually not, considering it only takes 10 mins to update it now, I am really enjoying being the 'go-to' for everything as it is an opportunity to expand my knowledge. Especially editing the program, I think it is a joy.   Editing the program I realized is going to combine all I know into 1 for it to do what I want. Add images, SQL changes (nothing hard), and a few things.
CodyT07

I was believing life was sent, then we had Russian leet hackers   . They tore up the site good. So bad that our program updater got its password changed as the person who programmed it decided to store it in the public database and not hard code it   And of course I was blamed for 10 mins because "I programmed something wrong", but my edits were made on a Beta version and the other computers had Alpha versions on them.   When a teacher came and complained that her personal page wasn't working (links got injected into URLs) is when they finally believed me. Once I found that out, I found the new password used the old one but included the script that got injected.

Now here is the weird part, the teacher is saying it is the county's fault (people who configured the server) as the database is set as *just for security's sake I won't say* I can see some logic but I had a joomla site with the same thing and no injections at all   and my site got lots of traffic.
My idea is to simply limit the charcter input. We only need around 5 charcters to do what we need, anything more is asking for trouble. I'm not sure it will stop all attacks but you have to start somewhere and standing where we are at does not work.

And backups... we had one that cleared most of the added scripts, but we still have a bunch and non functioning program cause I can't take the script source out of the password  
CodyT07

Made hero of the day  
We have over 1000 tables that got injected with code and everyone thought the only was was to go through each individual table and remove the code by highlighting and deleting. A timely process with only 2 peoples that can run SQL manager because somehow the installation of windows had a key that Microsoft blocked from Genuine Advantage   (there is where the Brits say use linux and we wouldn't have that problem, you know you want too)
Basically we switched between whose job is was to clean it, when it was my turn, I made a SQL script that did it all automatically and got over 500 tables done in less than a minute while everyone else only did like 50.  
And well we got the rest done in a quick manner.

At first everyone else believed it wasn't popular to make our own backups of the database, I proved that wrong!

Knowledge is power, and power makes hard (my case tedious) work easier  
Zudane

When I saw you were going through the tables to remove them one by one... I had instantly wondered why you didn't do a script for it...

But anyway, good to hear things are fixed some.  So many securities to worry about that it's best not to do it yourself (unless your a security expert) and go with something that is pre-designed.... I won't get into the technical details of what I know (which is rather limited) but... always good to be careful.
CodyT07

Zudane wrote:
When I saw you were going through the tables to remove them one by one... I had instantly wondered why you didn't do a script for it...

But anyway, good to hear things are fixed some.  So many securities to worry about that it's best not to do it yourself (unless your a security expert) and go with something that is pre-designed.... I won't get into the technical details of what I know (which is rather limited) but... always good to be careful.

This project is new for the teacher, students, and actually the county. Where are the only site on that server (maybe 10 sites total) to use scripting. The others just use plain .html. All of our code is original and was programmed in a rushed manner as the team before had a year to learn and master ASP to do what they want. The teacher knew some but no where near a master or so.

The teacher is saying the county is allowing HTTP write to our database and turning that off would stop these kinds of attacks. Fair enough, but I'm still going to try a form entry limiter and possible a filter, for ego and learning purposes  



I just realized
Quote:
At first everyone else believed it wasn't popular

That should be possible, doing 5 conversations at once is dangerous  
Zudane

Anything with information that is important, it should be done with security as the main concern.

A form entry limiter is one way to prevent attacks, but there are other ways to get in.  At the very least you should have a security program running on the servers that would help block any attacks, in addition to the securities you implement.  I can't be TOO helpful because I'm far from a security expert, but I know there are dozens if not hundreds of things to defend against when building securities.
while()

You don't need any magical programs, you need to understand what you're building. No matter what you do, if you don't understand the code you're writing then you won't be able to understand how it can be manipulated for bad things.
myff admin

I do tend to go with that latter view.

But security does go far beyond being about coding. A server is a beast with many windows on it besides the code!

       myfreeforum.org Forum Index -> Off Topic
Page 1 of 1
Create your own free forum | Buy a domain to use with your forum