I'm in charge of maintaining a learning management system and this is an issue that I've been dealing with on and off over the past few months.
我负责维护一个学习管理系统,这是我在过去几个月里一直在处理的问题。
A single student (among thousands) is claiming that his essay submissions are being "eaten" by the website. After form submission he says his essay has been replaced by the following text:
一名学生(数千人)声称他的论文提交被网站“吃掉”。表格提交后,他说他的论文已被以下文字取代:
Warning: mysql_connect() [function.mysql-connect]: Lost connection to MySQL server at 'reading initial communication packet', system error: 111 in /home/web/solomon_1.3/classes/db.class.php on line 84
警告:mysql_connect()[function.mysql-connect]:在'读取初始通信数据包'时失去与MySQL服务器的连接,系统错误:第84行/home/web/solomon_1.3/classes/db.class.php中的111
Fatal error: Error connecting to database server: in /home/web/solomon_1.3/classes/db.class.php on line 85
致命错误:连接到数据库服务器时出错:在第85行的/home/web/solomon_1.3/classes/db.class.php中
The preceding warning and fatal error are stored in the database as his submission. But how could this be as the error clearly states that a connection could not be made? The essay submission page is about as basic as it gets: A single DB connection is made, the form data is saved to the DB, user is redirected back to the submission page.
前面的警告和致命错误作为他的提交存储在数据库中。但是,如果错误清楚地表明无法建立连接,那又怎么可能呢?论文提交页面基本上是基本的:单个数据库连接,表单数据保存到数据库,用户被重定向回提交页面。
Lines 84-86 of db.class.php are:
db.class.php的第84-86行是:
if (!($sql_id=mysql_connect($server, $user, $pwd,$new))){
trigger_error("[Error connecting to database server]: {$sql_id}", E_USER_ERROR);
}
Notice how the error reported by the student lacks square brackets around the Fatal Error description string as shown in the PHP source file. Those square brackets were added nearly two months ago after the student's first error report with the suspicion that he was just pasting an error string into the submission box as a way to avoid work. I guess it's the 21st-century version of "the dog ate my homework".
请注意学生报告的错误如何在Fatal Error描述字符串周围缺少方括号,如PHP源文件中所示。大约两个月前,在学生的第一个错误报告之后添加了这些方括号,怀疑他只是将错误字符串粘贴到提交框中以避免工作。我想这是21世纪版本的“狗吃我的作业”。
As recently as a week ago the student still reports the original error without brackets. A server-wide grep verified that the error the student keeps "getting" is based on a string that simply doesn't exist.
就在一周前,学生仍然在没有括号的情况下报告原始错误。服务器范围的grep验证了学生保持“获取”的错误是基于一个根本不存在的字符串。
Now, the most reasonable explanation is that the student is screwing with us. That DB connection error has happened in the past but not within at least the last three months.
现在,最合理的解释是学生正在与我们联系。数据库连接错误发生在过去,但至少在过去三个月内没有发生。
There's a chance the student could get expelled over this so I wanted to make absolutely sure that my evidence is solid. Can you think of any alternate theories likely or otherwise?
学生有可能被驱逐出去,所以我想确保我的证据是可靠的。你能否想到任何可能的替代理论?
9 个解决方案
#1
As tpdi pointed out correctly: an innocent person wouldn't be trying to prove that innocence.
正如tpdi所指出的那样:一个无辜的人不会试图证明这种无辜。
And yes, you should log errors to a file, possibly even email the system administrator a copy of serious errors. But all that is not helping you now.
是的,您应该将错误记录到文件中,甚至可能向系统管理员发送严重错误的副本。但现在所有这些都没有帮助你。
First thoughts:
Although there is no direct evidence that the student is making up a digital dog to eat his homework, I've never seen an error message being inserted into any table instead of the expected contents.
初步想法:虽然没有直接的证据证明学生正在编造数字狗来吃他的作业,但我从未见过将错误信息插入任何表格而不是预期的内容。
If a real error in the script causes the error message to end up in a new record, the on-screen error would most likely be completely different. So if the student's mother claims to have seen this error, I find that even harder to believe.
如果脚本中的实际错误导致错误消息以新记录结束,则屏幕上的错误很可能完全不同。因此,如果学生的母亲声称已经看到这个错误,我发现更难相信。
The missing angled brackets in the error message:
I've seen many unexpected crashes, even in code that 'could not possibly be wrong' (tm). The fact that the brackets are missing is, as others have pointed out, no evidence in itself.
The error could be copied & pasted from on old e-mail or even be changed by a custom error handler (which you do not seem to have, but just to point out the possibility).
错误消息中缺少斜角括号:我已经看到许多意外崩溃,即使代码“不可能是错误的”(tm)。正如其他人所指出的那样,缺少括号的事实本身并没有证据。错误可以从旧电子邮件中复制和粘贴,甚至可以通过自定义错误处理程序(您似乎没有,但只是指出可能性)进行更改。
But, if an genuine error in the script causes the error message to ends up in a newly inserted database record, this error message is script-generated. The missing angled brackets however, strongly suggest that the error message originated from outside the script.
但是,如果脚本中的真正错误导致错误消息在新插入的数据库记录中结束,则此错误消息是脚本生成的。但是,缺少的斜角括号强烈暗示错误消息源自脚本外部。
Then the script lines themselves:
然后脚本排成一行:
84: if (!($sql_id=mysql_connect($server, $user, $pwd,$new))){
85: trigger_error("[Error connecting to database server]: {$sql_id}", E_USER_ERROR);
86: }
As far as I can see, if the script fails to set up a valid connection (line 84) it triggers the user error on line 85.
In reverse, if the user error (line 85) is triggered, the script failed to obtain a valid MySQL link identifier.
据我所知,如果脚本无法建立有效的连接(第84行),它会在第85行触发用户错误。相反,如果触发了用户错误(第85行),则脚本无法获得有效的MySQL链接标识符。
As far as I know there is no way for a PHP-script to affect any data on the server without a valid MySQL link identifier.
据我所知,没有有效的MySQL链接标识符,PHP脚本无法影响服务器上的任何数据。
In addition to the the missing MySQL link identifier, there is no code in the lines above whatsoever that touches the data. So even if there was a valid connection, these lines would not trigger the insert of a new record.
除了缺少的MySQL链接标识符之外,上面的行中没有任何代码接触数据。因此,即使存在有效连接,这些行也不会触发插入新记录。
I find it extremely unlikely, bordering on impossible, that an error in the process of opening a connection to the Database server would ever cause a record to be inserted, let alone a record holding a perfectly readable PHP-styled error message.
我发现打开与数据库服务器的连接过程中的错误将导致插入记录,更不用说记录包含完全可读的PHP样式的错误消息。
My conclusion bases upon the information you posted:
The student has a copy of an error message that was shown in the browser after a real error that has occurred somewhere in the past. He now posts a copy of the error message to the script. The script stores the posted information in the database.
我的结论基于您发布的信息:学生有一个错误消息的副本,该错误消息在过去某处发生真正的错误后显示在浏览器中。他现在将错误消息的副本发布到脚本中。该脚本将发布的信息存储在数据库中。
#2
The student could have a setup where the brackets are stripped for some reason, or they could just be sending a c+p of the previous error when they see the new one. Or they could be typing it. Never ever trust a user-reported error message 8).
由于某种原因,学生可以设置括号被剥离的设置,或者他们只是在看到新的错误时发送前一个错误的c + p。或者他们可以输入它。永远不要相信用户报告的错误消息8)。
I suppose the first thing I'd say is that you shouldn't be sending error messages to the user. They should be logged. Turn off display_errors in php.ini, and turn on log_errors. This is both a security issue (I now know about the file structure of your server, and that you're running MySQL) and will allow you to trace when the errors are happening.
我想我首先要说的是你不应该向用户发送错误消息。他们应该被记录下来。关闭php.ini中的display_errors,然后打开log_errors。这既是一个安全问题(我现在知道你的服务器的文件结构,你正在运行MySQL),并允许你跟踪错误发生的时间。
You should also have web server access logs, yes? If you know the IP the student is coming from, that should let you know timing for accesses and when to look for errors.
您还应该有Web服务器访问日志,是吗?如果您知道学生来自的IP,那应该让您知道访问的时间以及何时查找错误。
In addition, you might consider having your application do logging, especially as related to what user is logged-in. If before your trigger_error you append the current user and environment into a file, you'll know right away if this user is actually seeing these issues.
此外,您可能会考虑让应用程序进行日志记录,尤其是与用户登录相关的日志记录。如果在您的trigger_error之前将当前用户和环境附加到文件中,您将立即知道该用户是否确实看到了这些问题。
#3
Don't you log when errors like this occur?
It does look like he's making it up though...
当这样的错误发生时,你不记得吗?它确实看起来像是在弥补它......
As Jeff says in Exception-Driven Development
正如Jeff在异常驱动开发中所说的那样
If you're waiting around for users to tell you about problems with your website or application, you're only seeing a tiny fraction of all the problems that are actually occurring. The proverbial tip of the iceberg.
如果您正在等待用户告诉您有关您的网站或应用程序的问题,那么您只能看到实际发生的所有问题中的一小部分。众所周知的冰山一角。
#4
In dubio pro reo. If the student can provide his or her materials on time (without using the website), I would avoid throwing around accusations.
在dubio pro reo。如果学生能够按时提供他或她的材料(不使用网站),我会避免辱骂。
Of course, having a good log from the web server with things like size of post parameters, size of SQL parameters and screenshot of the student's screen at the time of the post might change things.
当然,从帖子服务器获得一个好的日志,例如帖子参数的大小,SQL参数的大小以及帖子发布时学生屏幕的截图可能会改变一些事情。
#5
Having a different message to the one in the code... that's pretty strong evidence.
给代码中的那个留下不同的信息......这是非常有力的证据。
Not necessarily. If I saw the error the first time, emailed the prof about it, then got a very similar error a second time, I'd probably just copy the initial email and with it the initial error.
不必要。如果我第一次看到错误,通过电子邮件向教授发送电子邮件,然后第二次得到一个非常类似的错误,我可能只是复制初始电子邮件,并带有初始错误。
I'd do this because it would be a little easier than selecting and copying in the browser, and because as an innocent person, I wouldn't be trying to prove that innocence.
我这样做是因为它比在浏览器中选择和复制要容易一些,因为作为一个无辜的人,我不会试图证明这种无辜。
It would surprise me little if there's something in his input that causes MySQL to choke. In my own work, I've found certain queries that can crash the MySQL server (and the MySQL release notes are full of them). Given the right MySQl config, you can easily get a situation where the server crashes, then gets (very quickly) brought back up / failed over, which could account for the error message being stored on the server.
如果他的输入中存在导致MySQL窒息的东西,那就会让我感到惊讶。在我自己的工作中,我发现某些查询可能会导致MySQL服务器崩溃(并且MySQL发行说明中充满了它们)。给定正确的MySQl配置,您可以轻松获得服务器崩溃的情况,然后(非常快速地)恢复/故障转移,这可以解释存储在服务器上的错误消息。
Rather than accuse the guy, let him email his assignment. This will assure the prof that the assignment was turned in when due, and allow the prof to test submitting the assignment through the online learning system.
而不是指责这个人,让他给他的电子邮件发送电子邮件。这将确保教授在到期时转入作业,并允许教授通过在线学习系统测试提交作业。
#6
Have you considered asking him to do a submission in front of you? The submission doesn't have to be the real essay (although that is better) but maybe he's doing something your script isn't expecting. Users are always able to find errors when "there just can't be an error in that code".
你考虑过让他在你面前提交申请吗?提交不一定是真正的文章(虽然这更好),但也许他正在做你的脚本不期望的事情。当“那个代码中不存在错误”时,用户总能找到错误。
EDIT: Have you considered giving him a CD-R/RW and asking him to burn his files onto the disk and you'll submit it for him?
编辑:你有没有考虑给他一张CD-R / RW,并要求他将他的文件刻录到磁盘上,你会为他提交?
#7
It looks mostly legit to me.
它看起来对我很重要。
How else could the student:
学生怎么可能:
- know the name of an apparently internal .php file (this looks like a library, not a directly HTTP served file)
- know the line numbers of the mysql_connect handling code
知道一个明显内部的.php文件的名称(这看起来像一个库,而不是一个直接的HTTP服务文件)
知道mysql_connect处理代码的行号
#8
If you were to add a few comment lines to the top of that PHP file, so that the line number of the alleged error changes, does the student get the same error message or a new error message with new line numbers?
如果您要在该PHP文件的顶部添加一些注释行,以便所谓的错误的行号发生更改,学生是否会收到相同的错误消息或带有新行号的新错误消息?
If the former, I'd say he may be trying to pull a fast one. If the latter, it sounds like there's something wrong on your end.
如果是前者,我会说他可能会试图拉快速。如果是后者,听起来你的结果有些不对劲。
#9
Would maintenance be happening at that time? Maybe he's submitting reports late in the morning whereas everyone else is sleeping.
维修会在那个时候发生吗?也许他是在早上提交报告而其他人都在睡觉。
#1
As tpdi pointed out correctly: an innocent person wouldn't be trying to prove that innocence.
正如tpdi所指出的那样:一个无辜的人不会试图证明这种无辜。
And yes, you should log errors to a file, possibly even email the system administrator a copy of serious errors. But all that is not helping you now.
是的,您应该将错误记录到文件中,甚至可能向系统管理员发送严重错误的副本。但现在所有这些都没有帮助你。
First thoughts:
Although there is no direct evidence that the student is making up a digital dog to eat his homework, I've never seen an error message being inserted into any table instead of the expected contents.
初步想法:虽然没有直接的证据证明学生正在编造数字狗来吃他的作业,但我从未见过将错误信息插入任何表格而不是预期的内容。
If a real error in the script causes the error message to end up in a new record, the on-screen error would most likely be completely different. So if the student's mother claims to have seen this error, I find that even harder to believe.
如果脚本中的实际错误导致错误消息以新记录结束,则屏幕上的错误很可能完全不同。因此,如果学生的母亲声称已经看到这个错误,我发现更难相信。
The missing angled brackets in the error message:
I've seen many unexpected crashes, even in code that 'could not possibly be wrong' (tm). The fact that the brackets are missing is, as others have pointed out, no evidence in itself.
The error could be copied & pasted from on old e-mail or even be changed by a custom error handler (which you do not seem to have, but just to point out the possibility).
错误消息中缺少斜角括号:我已经看到许多意外崩溃,即使代码“不可能是错误的”(tm)。正如其他人所指出的那样,缺少括号的事实本身并没有证据。错误可以从旧电子邮件中复制和粘贴,甚至可以通过自定义错误处理程序(您似乎没有,但只是指出可能性)进行更改。
But, if an genuine error in the script causes the error message to ends up in a newly inserted database record, this error message is script-generated. The missing angled brackets however, strongly suggest that the error message originated from outside the script.
但是,如果脚本中的真正错误导致错误消息在新插入的数据库记录中结束,则此错误消息是脚本生成的。但是,缺少的斜角括号强烈暗示错误消息源自脚本外部。
Then the script lines themselves:
然后脚本排成一行:
84: if (!($sql_id=mysql_connect($server, $user, $pwd,$new))){
85: trigger_error("[Error connecting to database server]: {$sql_id}", E_USER_ERROR);
86: }
As far as I can see, if the script fails to set up a valid connection (line 84) it triggers the user error on line 85.
In reverse, if the user error (line 85) is triggered, the script failed to obtain a valid MySQL link identifier.
据我所知,如果脚本无法建立有效的连接(第84行),它会在第85行触发用户错误。相反,如果触发了用户错误(第85行),则脚本无法获得有效的MySQL链接标识符。
As far as I know there is no way for a PHP-script to affect any data on the server without a valid MySQL link identifier.
据我所知,没有有效的MySQL链接标识符,PHP脚本无法影响服务器上的任何数据。
In addition to the the missing MySQL link identifier, there is no code in the lines above whatsoever that touches the data. So even if there was a valid connection, these lines would not trigger the insert of a new record.
除了缺少的MySQL链接标识符之外,上面的行中没有任何代码接触数据。因此,即使存在有效连接,这些行也不会触发插入新记录。
I find it extremely unlikely, bordering on impossible, that an error in the process of opening a connection to the Database server would ever cause a record to be inserted, let alone a record holding a perfectly readable PHP-styled error message.
我发现打开与数据库服务器的连接过程中的错误将导致插入记录,更不用说记录包含完全可读的PHP样式的错误消息。
My conclusion bases upon the information you posted:
The student has a copy of an error message that was shown in the browser after a real error that has occurred somewhere in the past. He now posts a copy of the error message to the script. The script stores the posted information in the database.
我的结论基于您发布的信息:学生有一个错误消息的副本,该错误消息在过去某处发生真正的错误后显示在浏览器中。他现在将错误消息的副本发布到脚本中。该脚本将发布的信息存储在数据库中。
#2
The student could have a setup where the brackets are stripped for some reason, or they could just be sending a c+p of the previous error when they see the new one. Or they could be typing it. Never ever trust a user-reported error message 8).
由于某种原因,学生可以设置括号被剥离的设置,或者他们只是在看到新的错误时发送前一个错误的c + p。或者他们可以输入它。永远不要相信用户报告的错误消息8)。
I suppose the first thing I'd say is that you shouldn't be sending error messages to the user. They should be logged. Turn off display_errors in php.ini, and turn on log_errors. This is both a security issue (I now know about the file structure of your server, and that you're running MySQL) and will allow you to trace when the errors are happening.
我想我首先要说的是你不应该向用户发送错误消息。他们应该被记录下来。关闭php.ini中的display_errors,然后打开log_errors。这既是一个安全问题(我现在知道你的服务器的文件结构,你正在运行MySQL),并允许你跟踪错误发生的时间。
You should also have web server access logs, yes? If you know the IP the student is coming from, that should let you know timing for accesses and when to look for errors.
您还应该有Web服务器访问日志,是吗?如果您知道学生来自的IP,那应该让您知道访问的时间以及何时查找错误。
In addition, you might consider having your application do logging, especially as related to what user is logged-in. If before your trigger_error you append the current user and environment into a file, you'll know right away if this user is actually seeing these issues.
此外,您可能会考虑让应用程序进行日志记录,尤其是与用户登录相关的日志记录。如果在您的trigger_error之前将当前用户和环境附加到文件中,您将立即知道该用户是否确实看到了这些问题。
#3
Don't you log when errors like this occur?
It does look like he's making it up though...
当这样的错误发生时,你不记得吗?它确实看起来像是在弥补它......
As Jeff says in Exception-Driven Development
正如Jeff在异常驱动开发中所说的那样
If you're waiting around for users to tell you about problems with your website or application, you're only seeing a tiny fraction of all the problems that are actually occurring. The proverbial tip of the iceberg.
如果您正在等待用户告诉您有关您的网站或应用程序的问题,那么您只能看到实际发生的所有问题中的一小部分。众所周知的冰山一角。
#4
In dubio pro reo. If the student can provide his or her materials on time (without using the website), I would avoid throwing around accusations.
在dubio pro reo。如果学生能够按时提供他或她的材料(不使用网站),我会避免辱骂。
Of course, having a good log from the web server with things like size of post parameters, size of SQL parameters and screenshot of the student's screen at the time of the post might change things.
当然,从帖子服务器获得一个好的日志,例如帖子参数的大小,SQL参数的大小以及帖子发布时学生屏幕的截图可能会改变一些事情。
#5
Having a different message to the one in the code... that's pretty strong evidence.
给代码中的那个留下不同的信息......这是非常有力的证据。
Not necessarily. If I saw the error the first time, emailed the prof about it, then got a very similar error a second time, I'd probably just copy the initial email and with it the initial error.
不必要。如果我第一次看到错误,通过电子邮件向教授发送电子邮件,然后第二次得到一个非常类似的错误,我可能只是复制初始电子邮件,并带有初始错误。
I'd do this because it would be a little easier than selecting and copying in the browser, and because as an innocent person, I wouldn't be trying to prove that innocence.
我这样做是因为它比在浏览器中选择和复制要容易一些,因为作为一个无辜的人,我不会试图证明这种无辜。
It would surprise me little if there's something in his input that causes MySQL to choke. In my own work, I've found certain queries that can crash the MySQL server (and the MySQL release notes are full of them). Given the right MySQl config, you can easily get a situation where the server crashes, then gets (very quickly) brought back up / failed over, which could account for the error message being stored on the server.
如果他的输入中存在导致MySQL窒息的东西,那就会让我感到惊讶。在我自己的工作中,我发现某些查询可能会导致MySQL服务器崩溃(并且MySQL发行说明中充满了它们)。给定正确的MySQl配置,您可以轻松获得服务器崩溃的情况,然后(非常快速地)恢复/故障转移,这可以解释存储在服务器上的错误消息。
Rather than accuse the guy, let him email his assignment. This will assure the prof that the assignment was turned in when due, and allow the prof to test submitting the assignment through the online learning system.
而不是指责这个人,让他给他的电子邮件发送电子邮件。这将确保教授在到期时转入作业,并允许教授通过在线学习系统测试提交作业。
#6
Have you considered asking him to do a submission in front of you? The submission doesn't have to be the real essay (although that is better) but maybe he's doing something your script isn't expecting. Users are always able to find errors when "there just can't be an error in that code".
你考虑过让他在你面前提交申请吗?提交不一定是真正的文章(虽然这更好),但也许他正在做你的脚本不期望的事情。当“那个代码中不存在错误”时,用户总能找到错误。
EDIT: Have you considered giving him a CD-R/RW and asking him to burn his files onto the disk and you'll submit it for him?
编辑:你有没有考虑给他一张CD-R / RW,并要求他将他的文件刻录到磁盘上,你会为他提交?
#7
It looks mostly legit to me.
它看起来对我很重要。
How else could the student:
学生怎么可能:
- know the name of an apparently internal .php file (this looks like a library, not a directly HTTP served file)
- know the line numbers of the mysql_connect handling code
知道一个明显内部的.php文件的名称(这看起来像一个库,而不是一个直接的HTTP服务文件)
知道mysql_connect处理代码的行号
#8
If you were to add a few comment lines to the top of that PHP file, so that the line number of the alleged error changes, does the student get the same error message or a new error message with new line numbers?
如果您要在该PHP文件的顶部添加一些注释行,以便所谓的错误的行号发生更改,学生是否会收到相同的错误消息或带有新行号的新错误消息?
If the former, I'd say he may be trying to pull a fast one. If the latter, it sounds like there's something wrong on your end.
如果是前者,我会说他可能会试图拉快速。如果是后者,听起来你的结果有些不对劲。
#9
Would maintenance be happening at that time? Maybe he's submitting reports late in the morning whereas everyone else is sleeping.
维修会在那个时候发生吗?也许他是在早上提交报告而其他人都在睡觉。