1. I'm not sure how many of you are using Sphinx, but it's AMAZING. It has been running for a few years for me, it's extremely fast, extremely resiliant and the results are amazing.
2. Most importantly, the reason I installed it was that my indexes became so large that they would more than double my DB size and the speed was terrible. I have a pretty large forum (83K users, 3M+ posts) and the time it took to post was increasingly frustrating. It took forever to save the post because indexing was killing me. I think I moved to Sphinx back on phpbb version 2.X (not 100% sure), but it's been with me forever.
3. I noticed I'm getting errors like this:I was wondering:
1. Do they know something I don't? Does Sphinx have vulnerabilities with SQL or code injection?
2. anything that I could/should do to block this type of thing?
3. anything that phpbb should do to prevent SQL injection in this way?
BTW, just try a sphinx search with parenthesis and you see this error immediately.
2. Most importantly, the reason I installed it was that my indexes became so large that they would more than double my DB size and the speed was terrible. I have a pretty large forum (83K users, 3M+ posts) and the time it took to post was increasingly frustrating. It took forever to save the post because indexing was killing me. I think I moved to Sphinx back on phpbb version 2.X (not 100% sure), but it's been with me forever.
3. I noticed I'm getting errors like this:
Code:
Sphinx Error» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected ')' near ')\=sysdate(),sleep(15),0)'Code:
Sphinx Error» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected '|' near '|DBMS_PIPE.RECEIVE_MESSAGE(CHR(98)||CHR(98)||CHR(98),15)||'Code:
Sphinx Error» index index_phpbb_gx0r6hgn4i35d7zx_delta,index_phpbb_gx0r6hgn4i35d7zx_main: syntax error, unexpected ')' near ')) | 873\=(SELECT 873 FROM PG_SLEEP(15))--'1. Do they know something I don't? Does Sphinx have vulnerabilities with SQL or code injection?
2. anything that I could/should do to block this type of thing?
3. anything that phpbb should do to prevent SQL injection in this way?
BTW, just try a sphinx search with parenthesis and you see this error immediately.
Statistics: Posted by oferlaor — Mon Sep 02, 2024 8:52 pm