There were no more injections overnight but I'm not sure if that's because of the action I've taken or just because there were no posts yet today. Only the first post of the day was getting overwritten so it's hard to tell.
Numerous sections have been refactored and some additional mitigations have been put in place. Everything seems to be working properly and there are no PHP errors being logged - always a good thing. Hopefully I've caught everything but we'll see.
Thanks to Eivind (again, 🙌) I've made further changes. I now have two new MySQL users with differing permissions: one to do INSERT, UPDATE and DELETE, the other to do just the SELECT statements. Both have only the permissions they require.
I noticed that the file which builds the daily RSS feed didn't run from the cron job last night, and wouldn't today no matter what I tried to do.
Then it dawned on me that one of the mitigation measures I'd put in place was to prevent the config file from being run directly, only when included. And.... I forgot to include the relevant define() statement in the file.
The work week is done but I'm on call so have to keep my work phone on me over the weekend. Still, it's not as if we're going anywhere ;) Well, I need to get rid of some rubbish at the tip but that's it.
It's looking positive on the MySQL injection front, there have been no more problems so far. I'm not counting my chickens just yet but I'm quietly positive.
We've had a decent clean and sort out for a couple of hours this evening and that feels good. There's definitely something therapeutic about throwing things away and getting everything else tidy. It's good for the soul.
I may even start putting some furniture together in the spare room over the weekend so things can get even more sorted.