Re: Google Bot deleting my database entries!

2009-10-27 Thread Herberth Amaral 

In fact, if you follow the REST principles, you must send a DELETE
request to delete a database entry. In this case, POST can be used to
add records in database and GET to list one/some of them.

On Oct 26, 9:35 pm, "euromark (munich)" 
wrote:
> you are violating protocol
>
> never allow GET recquests to change database
> no edit, no add, no delete if you (or a bot) access an url
>
> always use POST for those actions!
> then this won't happen
>
> besides this, the above solutions could be working work-arounds
>
> On 27 Okt., 00:15, Miles J  wrote:
>
>
>
> > It uses an HTTP authentication mechanism... you know, that thing that
> > happens when your browser prompts your for a login, when you go to
> > something restricted.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread euromark (munich) 

you are violating protocol

never allow GET recquests to change database
no edit, no add, no delete if you (or a bot) access an url

always use POST for those actions!
then this won't happen

besides this, the above solutions could be working work-arounds


On 27 Okt., 00:15, Miles J  wrote:
> It uses an HTTP authentication mechanism... you know, that thing that
> happens when your browser prompts your for a login, when you go to
> something restricted.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread Miles J 

It uses an HTTP authentication mechanism... you know, that thing that
happens when your browser prompts your for a login, when you go to
something restricted.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread audioworld 

Thanks, Miles:
At the moment it is not completely clear to me how this is different
from my way of authentication,
but I will read an learn..

On 26 Okt., 22:50, Miles J  wrote:
> You should use HTTP authentication.
>
> http://book.cakephp.org/view/473/Basic-HTTP-Authentication
>
> On Oct 26, 2:44 pm, Andras Kende  wrote:
>
> > Your add action has auth but in your app_controller.php did you add  
> > any auth for "delete" action too ?
>
> >http://doidata.net/contributor_roles/delete-Invalid id for  
> > ContributorRole : this is wide open...
>
> > Andras
>
> > On Oct 26, 2009, at 5:36 PM, audioworld wrote:
>
> > > Hello Andreas, thanks for checking,
>
> > > but as you can see from the app_controller above, I think I
> > > implemented the authentication properly.
> > > what you see at the link is just the "index" action, but when you
> > > klick on an "add" action:
> > >http://doidata.net/contributor_roles/add
>
> > > there is the correct error message:
> > > "your are not allowed to acces this page"
>
> > > so it is still unclear to me how the delete action can be used without
> > > authentication...
>
> > > On 26 Okt., 22:27, Andras Kende  wrote:
> > >> Hello,
>
> > >> Your site is not password protected so google robot just crawling
> > >> through the delete links..
>
> > >>http://doidata.net/contributor_roles/
>
> > >> Andras
>
> > >> On Oct 26, 2009, at 4:36 PM, audioworld wrote:
>
> > >>> I have a basic database management online athttp://doidata.net
> > >>> The access to the admin section is secured with a simple
> > >>> authentication which is hardcoded in the file /config/core.php
> > >>> In theory, when someone without the admin cookie set, access to the
> > >>> routes
> > >>> ../resource/delete/ID
> > >>> should be blocked. However, when I try this URL in the browser, it
> > >>> really works WITHOUT atuhentication, and the database entry is
> > >>> deleted!!! This was demonstrated last night by Google Bot which  
> > >>> seems
> > >>> to try our every possible route, and deleted most of my entries..
>
> > >>> here are some lines from the APACHE acces log:
> > >>> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /
> > >>> contributor_roles/
> > >>> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> > >>> 2.1; +http://www.google.com/bot.html)"
> > >>> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /
> > >>> contributor_roles/
> > >>> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> > >>> 2.1; +http://www.google.com/bot.html)"
>
> > >>> I am very thankful for any help to lock up my database edit/delete
> > >>> access,
> > >>> thanks, karl.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread audioworld 

Thanks, Gonzalo:
I will add the 'exit()' function after the flash message, your thought
is very good and welcome!

Thanks also, Andras:
as a simple fix, I just erased the "delete" actions in all the
controllers for all the database tables,
and just left the "delete" action for the function admin_delete

this is not pretty, but it seems to close the most obvious
authentication problems...
I think I have to read the API documentation for authentication over
and over again...

Are there any pointers to a end-to-end explanation for a simple+secure
authentication?
I gathered my knowledge from little bits and pieces here and there,
and this is not enough it seems..

best regards,
karl.

On 26 Okt., 22:44, Andras Kende  wrote:
> Your add action has auth but in your app_controller.php did you add  
> any auth for "delete" action too ?
>
> http://doidata.net/contributor_roles/delete- Invalid id for  
> ContributorRole : this is wide open...
>
> Andras
>
> On Oct 26, 2009, at 5:36 PM, audioworld wrote:
>
>
>
> > Hello Andreas, thanks for checking,
>
> > but as you can see from the app_controller above, I think I
> > implemented the authentication properly.
> > what you see at the link is just the "index" action, but when you
> > klick on an "add" action:
> >http://doidata.net/contributor_roles/add
>
> > there is the correct error message:
> > "your are not allowed to acces this page"
>
> > so it is still unclear to me how the delete action can be used without
> > authentication...
>
> > On 26 Okt., 22:27, Andras Kende  wrote:
> >> Hello,
>
> >> Your site is not password protected so google robot just crawling
> >> through the delete links..
>
> >>http://doidata.net/contributor_roles/
>
> >> Andras
>
> >> On Oct 26, 2009, at 4:36 PM, audioworld wrote:
>
> >>> I have a basic database management online athttp://doidata.net
> >>> The access to the admin section is secured with a simple
> >>> authentication which is hardcoded in the file /config/core.php
> >>> In theory, when someone without the admin cookie set, access to the
> >>> routes
> >>> ../resource/delete/ID
> >>> should be blocked. However, when I try this URL in the browser, it
> >>> really works WITHOUT atuhentication, and the database entry is
> >>> deleted!!! This was demonstrated last night by Google Bot which  
> >>> seems
> >>> to try our every possible route, and deleted most of my entries..
>
> >>> here are some lines from the APACHE acces log:
> >>> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /
> >>> contributor_roles/
> >>> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> >>> 2.1; +http://www.google.com/bot.html)"
> >>> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /
> >>> contributor_roles/
> >>> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> >>> 2.1; +http://www.google.com/bot.html)"
>
> >>> I am very thankful for any help to lock up my database edit/delete
> >>> access,
> >>> thanks, karl.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread Miles J 

You should use HTTP authentication.

http://book.cakephp.org/view/473/Basic-HTTP-Authentication

On Oct 26, 2:44 pm, Andras Kende  wrote:
> Your add action has auth but in your app_controller.php did you add  
> any auth for "delete" action too ?
>
> http://doidata.net/contributor_roles/delete- Invalid id for  
> ContributorRole : this is wide open...
>
> Andras
>
> On Oct 26, 2009, at 5:36 PM, audioworld wrote:
>
>
>
> > Hello Andreas, thanks for checking,
>
> > but as you can see from the app_controller above, I think I
> > implemented the authentication properly.
> > what you see at the link is just the "index" action, but when you
> > klick on an "add" action:
> >http://doidata.net/contributor_roles/add
>
> > there is the correct error message:
> > "your are not allowed to acces this page"
>
> > so it is still unclear to me how the delete action can be used without
> > authentication...
>
> > On 26 Okt., 22:27, Andras Kende  wrote:
> >> Hello,
>
> >> Your site is not password protected so google robot just crawling
> >> through the delete links..
>
> >>http://doidata.net/contributor_roles/
>
> >> Andras
>
> >> On Oct 26, 2009, at 4:36 PM, audioworld wrote:
>
> >>> I have a basic database management online athttp://doidata.net
> >>> The access to the admin section is secured with a simple
> >>> authentication which is hardcoded in the file /config/core.php
> >>> In theory, when someone without the admin cookie set, access to the
> >>> routes
> >>> ../resource/delete/ID
> >>> should be blocked. However, when I try this URL in the browser, it
> >>> really works WITHOUT atuhentication, and the database entry is
> >>> deleted!!! This was demonstrated last night by Google Bot which  
> >>> seems
> >>> to try our every possible route, and deleted most of my entries..
>
> >>> here are some lines from the APACHE acces log:
> >>> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /
> >>> contributor_roles/
> >>> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> >>> 2.1; +http://www.google.com/bot.html)"
> >>> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /
> >>> contributor_roles/
> >>> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> >>> 2.1; +http://www.google.com/bot.html)"
>
> >>> I am very thankful for any help to lock up my database edit/delete
> >>> access,
> >>> thanks, karl.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread Andras Kende 


Your add action has auth but in your app_controller.php did you add  
any auth for "delete" action too ?


http://doidata.net/contributor_roles/delete - Invalid id for  
ContributorRole : this is wide open...



Andras

On Oct 26, 2009, at 5:36 PM, audioworld wrote:

>
> Hello Andreas, thanks for checking,
>
> but as you can see from the app_controller above, I think I
> implemented the authentication properly.
> what you see at the link is just the "index" action, but when you
> klick on an "add" action:
> http://doidata.net/contributor_roles/add
>
> there is the correct error message:
> "your are not allowed to acces this page"
>
> so it is still unclear to me how the delete action can be used without
> authentication...
>
>
> On 26 Okt., 22:27, Andras Kende  wrote:
>> Hello,
>>
>> Your site is not password protected so google robot just crawling
>> through the delete links..
>>
>> http://doidata.net/contributor_roles/
>>
>> Andras
>>
>> On Oct 26, 2009, at 4:36 PM, audioworld wrote:
>>
>>
>>
>>> I have a basic database management online athttp://doidata.net
>>> The access to the admin section is secured with a simple
>>> authentication which is hardcoded in the file /config/core.php
>>> In theory, when someone without the admin cookie set, access to the
>>> routes
>>> ../resource/delete/ID
>>> should be blocked. However, when I try this URL in the browser, it
>>> really works WITHOUT atuhentication, and the database entry is
>>> deleted!!! This was demonstrated last night by Google Bot which  
>>> seems
>>> to try our every possible route, and deleted most of my entries..
>>
>>> here are some lines from the APACHE acces log:
>>> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET / 
>>> contributor_roles/
>>> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
>>> 2.1; +http://www.google.com/bot.html)"
>>> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET / 
>>> contributor_roles/
>>> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
>>> 2.1; +http://www.google.com/bot.html)"
>>
>>> I am very thankful for any help to lock up my database edit/delete
>>> access,
>>> thanks, karl.
> >


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread Gonzalo Servat 
On Tue, Oct 27, 2009 at 8:36 AM, audioworld  wrote:

>
> Hello Andreas, thanks for checking,
>
> but as you can see from the app_controller above, I think I
> implemented the authentication properly.
> what you see at the link is just the "index" action, but when you
> klick on an "add" action:
> http://doidata.net/contributor_roles/add
>
> there is the correct error message:
> "your are not allowed to acces this page"
>
> so it is still unclear to me how the delete action can be used without
> authentication...
>
>
When I go to http://doidata.net/ 
contributor_roles/delete/999,
it shows the correct "Not Authorized" page and redirects me. It's possible
that while it does the redirect, the delete action still executes as there
is no 'exit()' after the $this->flash() call. Try printing something in the
delete function of your contributor_roles controller and go to it while not
logged in. Does it print anything out? If so, then you're displaying the
flash message but it's still executing before the redirect takes place.

- Gonzalo

--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread audioworld 

Hello Andreas, thanks for checking,

but as you can see from the app_controller above, I think I
implemented the authentication properly.
what you see at the link is just the "index" action, but when you
klick on an "add" action:
http://doidata.net/contributor_roles/add

there is the correct error message:
"your are not allowed to acces this page"

so it is still unclear to me how the delete action can be used without
authentication...


On 26 Okt., 22:27, Andras Kende  wrote:
> Hello,
>
> Your site is not password protected so google robot just crawling  
> through the delete links..
>
> http://doidata.net/contributor_roles/
>
> Andras
>
> On Oct 26, 2009, at 4:36 PM, audioworld wrote:
>
>
>
> > I have a basic database management online athttp://doidata.net
> > The access to the admin section is secured with a simple
> > authentication which is hardcoded in the file /config/core.php
> > In theory, when someone without the admin cookie set, access to the
> > routes
> > ../resource/delete/ID
> > should be blocked. However, when I try this URL in the browser, it
> > really works WITHOUT atuhentication, and the database entry is
> > deleted!!! This was demonstrated last night by Google Bot which seems
> > to try our every possible route, and deleted most of my entries..
>
> > here are some lines from the APACHE acces log:
> > 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /contributor_roles/
> > delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> > 2.1; +http://www.google.com/bot.html)"
> > 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /contributor_roles/
> > delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> > 2.1; +http://www.google.com/bot.html)"
>
> > I am very thankful for any help to lock up my database edit/delete
> > access,
> > thanks, karl.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread Andras Kende 


Hello,

Your site is not password protected so google robot just crawling  
through the delete links..

http://doidata.net/contributor_roles/


Andras


On Oct 26, 2009, at 4:36 PM, audioworld wrote:

>
> I have a basic database management online at http://doidata.net
> The access to the admin section is secured with a simple
> authentication which is hardcoded in the file /config/core.php
> In theory, when someone without the admin cookie set, access to the
> routes
> ../resource/delete/ID
> should be blocked. However, when I try this URL in the browser, it
> really works WITHOUT atuhentication, and the database entry is
> deleted!!! This was demonstrated last night by Google Bot which seems
> to try our every possible route, and deleted most of my entries..
>
> here are some lines from the APACHE acces log:
> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /contributor_roles/
> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> 2.1; +http://www.google.com/bot.html)"
> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /contributor_roles/
> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> 2.1; +http://www.google.com/bot.html)"
>
> I am very thankful for any help to lock up my database edit/delete
> access,
> thanks, karl.
> >


--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread audioworld 

yes I do, this is the code from app_controller.php:

class AppController extends Controller {
var $components = array('Session');
var $helpers=array('MyPaginate','Text');
var $allowedActions=array
('index','view','doi_codes','display','owner','search');
function beforeFilter(){
#log in the admin
if(isset($this->data['admin']['credentials']))
if($this->data['admin']['credentials']==Configure::read
('Admin.Username')
&& 
$this->data['admin']['pw']==Configure::read('Admin.Password'))
$this->Session->write('admin',1);
else
$this->Session->write('admin',0);
#or log him out!
if(isset($this->data['admin']['logout']) && $this->data['admin']
['logout']){
$this->Session->write('admin',0);
$this->redirect(array
('controller'=>'pages','action'=>'index','admin'=>false));
}
if(!$this->Session->read('admin'))
if(!in_array($this->action,$this->allowedActions)){
$this->flash('You are not allowed to access 
this page','/');
//$this->redirect(array
('controller'=>'pages','action'=>'display'));
}
if($this->action=='admin_view')
$this->setAction('view',$this->params['pass']);
elseif($this->action=='admin_doi_codes')
$this->setAction('doi_codes',$this->params['pass']);

}


thanks for  the reply,
karl.


On 26 Okt., 21:49, Miles J  wrote:
> Are you applying the authorize login settings within the beforeFilter
> ()?
>
> On Oct 26, 1:36 pm, audioworld  wrote:
>
> > I have a basic database management online athttp://doidata.net
> > The access to the admin section is secured with a simple
> > authentication which is hardcoded in the file /config/core.php
> > In theory, when someone without the admin cookie set, access to the
> > routes
> > ../resource/delete/ID
> > should be blocked. However, when I try this URL in the browser, it
> > really works WITHOUT atuhentication, and the database entry is
> > deleted!!! This was demonstrated last night by Google Bot which seems
> > to try our every possible route, and deleted most of my entries..
>
> > here are some lines from the APACHE acces log:
> > 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /contributor_roles/
> > delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> > 2.1; +http://www.google.com/bot.html)"
> > 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /contributor_roles/
> > delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> > 2.1; +http://www.google.com/bot.html)"
>
> > I am very thankful for any help to lock up my database edit/delete
> > access,
> > thanks, karl.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Re: Google Bot deleting my database entries!

2009-10-26 Thread Miles J 

Are you applying the authorize login settings within the beforeFilter
()?

On Oct 26, 1:36 pm, audioworld  wrote:
> I have a basic database management online athttp://doidata.net
> The access to the admin section is secured with a simple
> authentication which is hardcoded in the file /config/core.php
> In theory, when someone without the admin cookie set, access to the
> routes
> ../resource/delete/ID
> should be blocked. However, when I try this URL in the browser, it
> really works WITHOUT atuhentication, and the database entry is
> deleted!!! This was demonstrated last night by Google Bot which seems
> to try our every possible route, and deleted most of my entries..
>
> here are some lines from the APACHE acces log:
> 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /contributor_roles/
> delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> 2.1; +http://www.google.com/bot.html)"
> 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /contributor_roles/
> delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
> 2.1; +http://www.google.com/bot.html)"
>
> I am very thankful for any help to lock up my database edit/delete
> access,
> thanks, karl.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---

Google Bot deleting my database entries!

2009-10-26 Thread audioworld 

I have a basic database management online at http://doidata.net
The access to the admin section is secured with a simple
authentication which is hardcoded in the file /config/core.php
In theory, when someone without the admin cookie set, access to the
routes
../resource/delete/ID
should be blocked. However, when I try this URL in the browser, it
really works WITHOUT atuhentication, and the database entry is
deleted!!! This was demonstrated last night by Google Bot which seems
to try our every possible route, and deleted most of my entries..

here are some lines from the APACHE acces log:
66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] "GET /contributor_roles/
delete/15 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
2.1; +http://www.google.com/bot.html)"
66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] "GET /contributor_roles/
delete/12 HTTP/1.1" 200 604 "-" "Mozilla/5.0 (compatible; Googlebot/
2.1; +http://www.google.com/bot.html)"

I am very thankful for any help to lock up my database edit/delete
access,
thanks, karl.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~--~~~~--~~--~--~---