[development] slightly OT - don't be a stupid Drupal newb

[Will Wyatt]

I've been trying to use a PHP block that contains some CURL code to
grab a pic and show it in the sidebar. I'm hosted at Dreamhost and I
have mod_security (Dreamhost calls it 'Extra Web Security') activated
on my domain.

So, when I tried to create a PHP block that contained codewords that
mod_security found offensive I was prevented from saving the block. No
problem, said the newbie. I updated the body field in {block} to the
CURL code I wanted in the block.

Here is the big uhh-ohh I discovered while doing this. I was trying to
use this php code in a block that was on every page. When I updated
the block in the database I used the wrong URL, which is in my drupal
path. I said http://www.example.com/gallery/blah when I meant to say
http://www.example.com/gallery2/blah.

So when I loaded the homepage for the first time, the block tried to
load, but the block was trying to load the wrong URL (the URL I
manually updated in the database. Drupal was intercepting the wrong
URL and trying to load the 'Page not found' which of course included
the offending block, which tried to load the wrong URL, which tried to
load the 'Page not found' page which contained the block with the bad
URL ... ad infinitum. So, in essence, I had denial of serviced myself.
I couldn't get to my website at ALL for about 20 minutes. Once I could
get back into my database (my ssh was DOSed as well) I reset the
block. Being curious I did it all again while running top through
another ssh connection. When I did it all again I saw 80 or so php5
processes in my user space before the top'ed connection DOSed itself.
I'm assuming Dreamhost finally killed something.

There is probably a moral to this story. Something like 'try php
chunks of code in a page before adding them to a block that can get
loaded on every page.' Especially is you're on shared hosting :)

Here's hoping you don't do what I did :)


--
Proud member of the KEXP cubicle army.
http://www.cubiclearmy.com