by loftar » Sat Oct 31, 2009 3:01 pm
Well, I've woken up now. :)
What Delamore discovered is that he could create the user "Jorb" and thus gain "jorb"'s access to the forum. I can at least assure you that the access was limited to the forum and the forum alone. It was made possible since I switched phpBB's database from sqlite to MySQL -- apparently MySQL does case-insensitive string-matching by default! (If anyone had insinuated that before this happened, I would probably have laughed it off, saying "Right, not even they can be that stupid". Apparently, I underestimated them...)
The problem is fixed now, by using MySQL-specific SQL extensions to mark the relevant column as "binary strings". Grumble grumble. Grumble.
I, for one, am quite glad that the problem was detected so relatively harmlessly. I'll leave any other judgement of the matter to how violated Jorb feels. He doesn't seem to have woken up yet, though. I've changed the forged posts as having been posted by Delamore.
"Object-oriented design is the roman numerals of computing." -- Rob Pike