Problem description:
I’ve recently seen from @functionally that there are new console DB exploits
Expected behavior:
The database is deleted after running the repl (same as I’d wish the REPL_IDENTITY would be)
Actual behavior:
You should be unable to access the db outside of the repl, it’s always been one of the major problems, but @functionally says there is more than one way
Steps to reproduce:
Just run a repl, and do (ctrl c, ctrl d and do from replit import db
)
Also, not completely related but:
I’ve checked the replit.py code and I can delete the REPLIT_DB_URL
and run the database/default_db.py
which gets the db, and that will be a None
db, but if I get the db from replit (from replit import db
), it gives me a db, even though it just RAN THE SAME CODE
Bug appears at this link:
Arrrowfall
Browser/OS/Device:
NaN
sorry for ping but @not-ethan I was told you know how this happens, and functionally won’t tell me their method… soooo I was wondering if you could 
1 Like
yeah, the exploit I found allows you to access the db outside of the repl and change / add any value you want.
but… HOW. HOW DO YOU ACCESS IT could you kindly explain further?
#Ineedtoknowbecauseitinvolvesme
Yeah but can’t you just print the DB url and do that? That’s been an issue for ages
I tried this out, the db URLs are different so that means everything is safe. The actual db url vs. the one derived from running from replit import db
in the spotlight page are different.
yeah doesn’t it just create a new DB?
we’re talking about a game where your stats are stored (and can be edited) by using the DB
Yeah but I can still access the local db
1 Like
@ReplitIronclad ^^ I can still edit the db like this
Also, while you’re here, I’ll explain a bug with the DB or whatever it is, such as if you play a game that saves data via replit db. Your data is obviously saved, but only on that device; if you switch to another device, you’ll have to start over, even if you’re on the same account where the data was previously saved.
That’s because the DB is seperate for each repl. When you play someone elses repl (that’s not a webserver of some type) it makes sort of a proxy repl that is a copy, it’s not actually running the same repl, so the DB is different
sorry if I worded that terribly
So you’re saying that if I played a game like Hecker40’s Cookie Clicker in Python-Terminal and got, say, 1,000 cookies, it would be saved in the replit DB. But if I switch to a different device while still connected to the same account and game, will it reset my score and create a new DB?
I think it should be the same for accounts, but I don’t know
That is my problem; it forces me to reset all of my data even though I am still playing on the same account, which is kind of stupid (sorry if that is considered vulgar by @system).
The system does not detect if posts are vulgar or not. They are just the ones who sends the messages when a user manually flags
Maybe it is be device then? I always use the same device so never noticed it