- #1
- 28,951
- 4,245
I have a site made in PHP eons ago by someone I no longer have contact with. Lately site was attacked with a SQL injection attempt. Input is sanitized, so there is no immediate danger for the database, but this attack exposed vulnerability - if value of one the parameters is not from the predefined set, program ends in an endless loop, throwing warnings. That's in a way equivalent to a case statement missing default. In effect code generates multimegabyte output, eating bandwidth (20 GB on March 10th - which is what caught my attention, as typically daily traffic it is in tens of MB range). It doesn't happen often, still, judging from logs every few months someone tries hacking.
I did some digging in the source and I don't see how to correct the problem without writing everything from scratch - perfect example of unmaintainable code. Site is not worth the effort, still, it brings enough money from adsense to pay a third of the server costs, so I don't feel like just closing it.
Any ideas about how to limit the output without changing the code? Or with just a small changes? So far I thought about limiting execution time through max_execution_time in php.ini or by calling set_time_limit(1), but perhaps you can think of some other, better ways?
I did some digging in the source and I don't see how to correct the problem without writing everything from scratch - perfect example of unmaintainable code. Site is not worth the effort, still, it brings enough money from adsense to pay a third of the server costs, so I don't feel like just closing it.
Any ideas about how to limit the output without changing the code? Or with just a small changes? So far I thought about limiting execution time through max_execution_time in php.ini or by calling set_time_limit(1), but perhaps you can think of some other, better ways?