i’m off to send complaint now
Yes, i will complain too.
yeahhhhh.. i got a message back from brinkster, sounds like they are working on the problem
heres the message:
Hello,
We are preparing to update all the servers to the latest version. We hope to update all by the end of next week.
I apologize for any inconvenience and frustration these issues have caused.
If we can help with anything else, please let us know.
We’re having the same problem at Houmidity.com, but no reply from Brinkster about why they don’t A.) Turn NO_BACKSLASH_ESCAPES back off until they upgrade to 5.0.22 or B.) Hurry up and upgrade to 5.0.22 instead of waiting a week to do so.
Anyone else get any reply or have news on this subject?
Houmidity, I can answer question A for you.
They put it in place because the version of MySQL they’re running at the moment contains a explotable security bug, which is circumvented by that NO_BACKSLASH_ESCAPES workaround.
It’s a choice between being hacked or some broken software en they chose the second. As it should!
What you can blame them for is lousy communication and indeed a lack of speed in upgrading to a safe MySQL version, which doesn’t require this workaround.
Nazgul, yes I can definitely appreciate and understand why they would want to patch MySql to prevent a new exploit, and I get why they turned on the NO_BACKSLASH_ESCAPES mode in the first place.
However, once it’s been determined to really hose up a lot of their customers’ sites, it seems like they might consider turning it back off until they could upgrade to the new version, which gives us both security and compatibility with WordPress (we assume).
Houmidity, but if they turn it off, they’re again susceptible to being hacked until they’ve upgraded their MySQL servers. So I understand why they don’t turn it back off again.
What I do not understand is why it has to take so long to upgrade MySQL. Even for a large organisation it should be do-able within 1-2 weeks. The MySQL security update was released around the 26th of may, so they’ve had over 3 weeks to upgrade by now.
I am having a simular problem with brinkster
I can’t save any thing with a an apostrophe in it. eg the name O’Neall. I have had 4 discussion with support today. In the first discussion I asked
Don’t you find this a bit ridiculous what about words like Can’t, Where’s, She’ll, We’d, Didn’t, They’d, I’ve, You’ve, Who’s, He’s, Let’s, We’re, That’s. None of those can ever be entered into a database again?
There response was
You can easily create a script to replace the characters when entered into and read from the database.
This only made me more determined to get an answer. So after an argument about which version of MySql is running on the server where my site is I got this response.
We are preparing to update all the servers to the latest version. We hope to update all by the end of next week. I cannot say with any certainty that the upgrade will fix any problems. I believe it will solve the security problem recently discovered.
I am going to give them a bit of time to fix the problem but if they don’t I will be following it up and I will post what I think we all should do at that time.
When NO_BACKSLASH_ESCAPES is enabled the correct way to insert the apostrophe character is as follows:
‘It won”t do it otherwise’
The double apostrophe should do the trick.
I also have been frustrated with Brinkster but have posted a temporary solution for .NET users at my site: http://www.m-s-d.net/
Thanks,
Martin
I am looking for a site to move my two blog applications. I can’t depend on Brinkster any more.
I have contacted two hosting providers but I want to be sure that their mysql server has the innodb engine running and the infamous no_backslash thing is not enabled. I have two pre-sales inquiries open waiting for specific and clear answers.
I am also having this error (links messed up) with a site (nlcic.org) hosted with Brinkster. I contacted them and they said that the databases should be updated to Version 5.0.22 within 2 weeks.
I’m also having a problem getting plugins to activate. I get an error about having the wrong data type in the second argument of line 100 in plugins.php. I was able to get this error to go away by typecasting current plugins to an array: (array)$current_plugins. However the plugins are still not activating which I’m guessing is a byproduct of the NO_BACKSLASH_ESCAPES hack.
I installed phpMyAdmin and edited the content for the posts manually – so they now link correctly. This is just a real pain. Rather than hacking my WordPress install to get the plugins to work, I think I’ll wait for Brinkster to get their act together and update mySQL.
I am using Brinkster too, and I have the same problem. I am sending their reply here:
“Hello,
We are preparing to update all the servers by next week. This cannot be guaranteed but it is the current estimate. I recommend contacting us on Friday to find out the latest.
I apologize for any inconvenience and frustration these issues have caused.
If we can help with anything else, please let us know.”
I cannot trust them anymore, I think I am going to move to another host when my time is up.
Hope the problem will be solved by Friday. I can’t post or do anything.
Martin2006 the problem with writing temporary fixes to a problem caused by brinkster changing NO_BACKSLASH_ESCAPES is that when they up date to the latest version of mysql ( which they inevitably will), your data will be corrupt and then you will have to write another piece of code to go back and correct that. This might seem ok if you are the only one affected but when there are hundreds if not thousands who are affected the service provider should upgrade to the version of mysql that does not have the vulnerability.
Brinkster should have never changed NO_BACKSLASH_ESCAPES they should have dropped every thing and started an immediate upgrade of all servers. After all they are a SERVICE provider and they should provide a service, otherwise why pay them.
My other problem with brinkster is the way that they went about the whole problem, they changed the NO_BACKSLASH_ESCAPES with out any notification, how hard would it have been to send every one an email stating what they were doing and why. I know that I alone spent 3 days trying figure out what had gone wrong, my time is precious and I object to them wasting my time when an eamil would have helped.
I have another question ( rectorial )
If the vulnerability opens brinkster up to the possibility of attack, how many possible attacks are we talking? If the number is as I suspect (in the short term) very low to none, then don’t make changes to the configuration file which will brake every ones sites, say nothing, and start to upgrade to the latest version of mysql. If I am wrong and there is a high risk of attack, then instead of braking every ones site they should have start to upgrade to the latest version of mysql immediately. Either way the answer was never to take the slack way and hope no one notices. They should fix the problems not create them.
Binaryone: The risk of being hacked depends on the PHP software that’s running on those machines. Because Brinkster just hosts sites, they don’t know what you (=the customers) put on there. If everyone is using software thats written correctly, than the chance of being hacked are slim, but on the other hand, if somebody forgets to patch or update some buggy script then the server is highly at risk. And as I’ve said, Brinkster can’t determine that.
And I know from experience, from working at a large IT company, that there’s no such thing as upgrade to the latest version of a product immediately. Because a lot of things can go wrong during an upgrade, which don’t even have to be Brinksters fault, but they will be the ones ‘getting screamed at’ because of it. So I understand that they want to do a test upgrade before doing it system-wide. I also understand that they implement the NO_BACKSLASH_ESCAPES workaround while testing the upgrade.
What I do not understand is that they don’t/didn’t communicate the issue, so people would know why their system wasn’t working as expected, and that there was a valid (and temporary) reason for it.
The other thing I don’t understand is that it has already taken them 3 weeks to even start upgrading. I’ve stated before that they should have some time to test and plan the upgrade, maybe a week, but definitely not 3 weeks.
