Dear Bangladesh,

If you read this, then kindly sod off.

Thanks,

the denizens of IRG.

I had one a moment ago, yes.

Yeah, I've been getting 500 server errors as well.

This isn't a forum issue but is anyone having MAJOR glitches in the gallery? I've been going in there for reference images but on any one page there are usually several images that refuse to display. Refreshing sometimes brings some of them back up but none of them are all up at the same time.

Kinda yeah.

So long story short, about a month ago we had some hilarious massive hard drive fails where we lost two inside of a week, and this included all the data for Empty Movement, including the gallery, forum, and site code. We've been working on scanning the extra drives for possible scraps of the site, and we've finally been successful in pulling most of the data. I'll be spending the next while trying to piece together the files for the site and gallery, which number in the 30,000.

So yeah. It's not that I'm not around or that I'm ignoring the site. I'm just trying to put it back together.

Okay.  This is a mythical glitch.  You are not even going to believe this.  It is the bizarrest glitch ever.

I was trying to make a post to my Conformity thread over in SIL, and I wanted to say that it was difficult to predict what the community would come together on.  But no matter what I did, the post wouldn't post.  I got a Not Acceptable error every time I tried.  I could post other replies, but I couldn't edit them to read what I wanted to say.

So I tried to post just the first sentence.  And that was fine.

Then I added the next sentence.  That was fine too.

So I'm like, okay, it was a freak glitch and now it's over, and I tried to post the whole thing.  Nope!!  Not Acceptable.

I ended up finishing the post by editing it in word by word.  You are not going to believe what I found.

The problem is the word I was using for "come together."  The word starts with COALESC and ends with E.  It turns out that this word cannot be posted on IRG.  You get a Not Acceptable error every time, in any thread you try to do it in.  Try it right now.

Yeah.

So what the fuck? 

Edit: It turns out that the taboo C-word is used as an SQL command.  This has got to have something to do with the problem, but if there's one thing a server should not be doing, it's scanning user input for server commands.  That way lies haxx.

Last edited by satyreyes (01-27-2013 04:23:58 PM)

satyreyes wrote:

but if there's one thing a server should not be doing, it's scanning user input for server commands.  That way lies haxx.

That's precisely why it's not letting you post it; it's not scanning for commands, more likely, it's trying to prevent SQL injection. 

Each post gets stored in the database.  That means all user input becomes part of an SQL statement.  Simple example:

-- INSERT INTO posts VALUES ('username', 'datetime', 'postid', 'Escaped string of user input');

If the user input is a valid SQL command, say:

-- '); DELETE * FROM posts;

The resultant query could be:

-- INSERT INTO posts VALUES ('username', 'datetime', 'postid', ''); DELETE * FROM posts; ');

Which, in absence of other factors, would result an error or successful partially empty INSERT, a full DELETE of the posts table, then an error.  But the hacker has successfully accomplished his or her mischief.

It's a basic hack that relies on a basic understanding of SQL syntax and how simple web scripts handle POSTed user input.  Nevertheless, there are a dozen other ways to protect against injection beyond disallowing SQL keywords (for example, bound parameters).  Especially when you consider how many other simple words we use every day that are also the names of keywords or functions.

I've never coded for a transactional DB before, so there may be some unique (another SQL keyword) consideration with "coalesc(e)".

Last edited by rhyaniwyn (01-28-2013 10:01:16 AM)

We've contacted them about this issue, but it looks like it may be a "feature" and not something we can get around.

We were on a different server in 2006 and may not have been subject to the same "features."

coalesce.

It was flagged as a possible SQL hole, so they patched it or something. Should all be good.

The recovery of my data appears to be largely successful. I now have to go through all my old shit and sort through and make sure none of the files are corrupt, or what is is hopefully not important.

Getting lots of 500 server errors again. Not sure if it's my computer, but they ARE annoying.

Thought I'd give everybody a heads up, in case it means something bad. *nods*

Odd. I'll look into it.

Yeah, I've been getting them too, ever since our server changed. I'll ask Gio to take a look.

So things come full circle. I'm going to rebuild the gallery.

As HTML. Like I did the first time. Ten years ago.

I've been completely unable to fix the gallery in any meaningful or permanent way. And broken shit on my website pisses me off. So over the next X period of time I'm going to be working on that. It won't be as sexy or as awesome, but it will work. And be permanently usable because no matter how many html files you have, you don't overload the server using them because there's only ever one query at a time, and there's no database to maul.

The unfortunate side effect is that all links to the old one will come down. That's lame. I really wish I could avoid it, but being as those links almost never work anyway, it's just how it'll have to be.

As for forum, like I said, gonna see how the work over the weekend goes. But I'm worried that the forum is getting too large for punBB. I've never pruned it.