Data Site is Back Online

» 22 September 2013 » In NPB Tracker »

The data site is back up. It’s still not getting updates for 2013 (that will be more work) but the old data is there.

For anyone wishing for a technical explanation, I fell victim to an sql injection attack. When I first set up the database four years ago, I knew about such attacks, so I was careful to set up a database user for this site with very minimal privileges. I was, however, a little less fervent about sanitizing input from the php pages. The inputs are supposed to be numeric id values (like “252”), but an attacker could put add other stuff in and see if it would work (like “252 and select * from information_schema”). Eventually an attacker came along and did that. Since the database itself was locked down pretty well, none of these sql injection attempts worked. The attacker tried over 1000 before giving up and through an “and sleep()” into the query, which unfortunately did work, and caused trouble for my web host. It was a simple thing to fix but I couldn’t find the time until yesterday. I have taken other measures to avert similar attacks as well.

Trackback URL