by TheoW » Tue Sep 07, 2021 7:03 am
Short version, the site is held together with more duct tape and bubble gum then usual for a website (and most sites are barely held together as it is) which allowed an SQL exploit.
Long version, while I was validating the input for the story data, I wasn't doing the same for the page ID passed in the URL. This resulted in allowing SQL injection issues. Someone was spamming the site with custom URLs that caused the request to simply never completed, and eventually it took up all the resources of the server.
Part of the fix was to replace all the Database code so that all the requests were going through API that separate the query and the data in the query so the data can never been processed as part of a SQL.
When it comes to security, passwords are stored with a one way hash and properly salted. Passwords are never stored in clear text on the site (whatever else I might be when it comes to web design, I know better then to do something like that)
Pretends to be the boss around here.