Follow-ups from yesterday's postPosted by Incineroar on 2020-05-30 06:28:35
So in looking at the code, and in reading other best practices and coding suggestions, I realized many other ways I could fix this code in terms of mitigating the exploit that I found. I know it's not perfect, and I plan to make a lot more smaller back-end updates to tighten up security with the software as well before I publish the next version. One such thing I plan to change is using the
PDO prepare statement to prevent injection-based attacks from working rather than substituting values right into the query where things can very quickly go wrong as is currently being done. This will especially be necessary for post comments, because even with a captcha implementation there, it's still very much possible to exploit, it'll just be slower and the results can be more obvious as they need to actually be posted and cannot be deleted unless the administrator does so, where the exploit will be seen and the IP address gets blocked (Yes, IPs will also be logged for spam prevention purposes, hence the need for the new privacy policy).
I did mention captcha up there though. Yes, the new comment system will be implementing hCaptcha for spam prevention purposes. This way, bots cannot automate the task of spamming the site with comments, and especially in such rapid succession where the site can be spammed in just a few minutes with hundreds if not thousands of spam comments. I also plan to add this protection feature to the Admin Login page to mitigate credential stuffing/bruteforce attacks on the login page. Of course there's other protections I plan to implement too, and I'll be attempting to harden the software a bit more as the software becomes a bit more social and the number of people that can use the site increases. There's also a lot of style bugs that need to be addressed, and I hope I'll be able to fix those as well so the site is a bit more mobile friendly. I've attempted to fix the Firefox bug with the footer but it's just being really garbage, although I did find a style issue with the Safari browser that's been fixed (So iOS users can see the site properly now!) I've got a to-do list going right now but I hope to crush through it in the time leading to my return to work, and perhaps even a bit after I go back and still have some time due to reduced hours at work. I'm aiming to have the code done and some basic tests done in June, or July at the latest, as I'm tired of having to constantly look at this software and think of all the upgrades I wanted to do, rather than be working on them.