Re: Google Bot deleting my database entries!
In fact, if you follow the REST principles, you must send a DELETE request to delete a database entry. In this case, POST can be used to add records in database and GET to list one/some of them. On Oct 26, 9:35 pm, euromark (munich) dereurom...@googlemail.com wrote: you are violating protocol never allow GET recquests to change database no edit, no add, no delete if you (or a bot) access an url always use POST for those actions! then this won't happen besides this, the above solutions could be working work-arounds On 27 Okt., 00:15, Miles J mileswjohn...@gmail.com wrote: It uses an HTTP authentication mechanism... you know, that thing that happens when your browser prompts your for a login, when you go to something restricted. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Google Bot deleting my database entries!
I have a basic database management online at http://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET /contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET /contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
Are you applying the authorize login settings within the beforeFilter ()? On Oct 26, 1:36 pm, audioworld audiowo...@gmail.com wrote: I have a basic database management online athttp://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET /contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET /contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
yes I do, this is the code from app_controller.php: class AppController extends Controller { var $components = array('Session'); var $helpers=array('MyPaginate','Text'); var $allowedActions=array ('index','view','doi_codes','display','owner','search'); function beforeFilter(){ #log in the admin if(isset($this-data['admin']['credentials'])) if($this-data['admin']['credentials']==Configure::read ('Admin.Username') $this-data['admin']['pw']==Configure::read('Admin.Password')) $this-Session-write('admin',1); else $this-Session-write('admin',0); #or log him out! if(isset($this-data['admin']['logout']) $this-data['admin'] ['logout']){ $this-Session-write('admin',0); $this-redirect(array ('controller'='pages','action'='index','admin'=false)); } if(!$this-Session-read('admin')) if(!in_array($this-action,$this-allowedActions)){ $this-flash('You are not allowed to access this page','/'); //$this-redirect(array ('controller'='pages','action'='display')); } if($this-action=='admin_view') $this-setAction('view',$this-params['pass']); elseif($this-action=='admin_doi_codes') $this-setAction('doi_codes',$this-params['pass']); } thanks for the reply, karl. On 26 Okt., 21:49, Miles J mileswjohn...@gmail.com wrote: Are you applying the authorize login settings within the beforeFilter ()? On Oct 26, 1:36 pm, audioworld audiowo...@gmail.com wrote: I have a basic database management online athttp://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET /contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET /contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
Hello, Your site is not password protected so google robot just crawling through the delete links.. http://doidata.net/contributor_roles/ Andras On Oct 26, 2009, at 4:36 PM, audioworld wrote: I have a basic database management online at http://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET /contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET /contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
Hello Andreas, thanks for checking, but as you can see from the app_controller above, I think I implemented the authentication properly. what you see at the link is just the index action, but when you klick on an add action: http://doidata.net/contributor_roles/add there is the correct error message: your are not allowed to acces this page so it is still unclear to me how the delete action can be used without authentication... On 26 Okt., 22:27, Andras Kende and...@kende.com wrote: Hello, Your site is not password protected so google robot just crawling through the delete links.. http://doidata.net/contributor_roles/ Andras On Oct 26, 2009, at 4:36 PM, audioworld wrote: I have a basic database management online athttp://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET /contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET /contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
On Tue, Oct 27, 2009 at 8:36 AM, audioworld audiowo...@gmail.com wrote: Hello Andreas, thanks for checking, but as you can see from the app_controller above, I think I implemented the authentication properly. what you see at the link is just the index action, but when you klick on an add action: http://doidata.net/contributor_roles/add there is the correct error message: your are not allowed to acces this page so it is still unclear to me how the delete action can be used without authentication... When I go to http://doidata.net/ goog_1256542933757 contributor_roles/delete/999http://doidata.net/contributor_roles/delete/999, it shows the correct Not Authorized page and redirects me. It's possible that while it does the redirect, the delete action still executes as there is no 'exit()' after the $this-flash() call. Try printing something in the delete function of your contributor_roles controller and go to it while not logged in. Does it print anything out? If so, then you're displaying the flash message but it's still executing before the redirect takes place. - Gonzalo --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
Your add action has auth but in your app_controller.php did you add any auth for delete action too ? http://doidata.net/contributor_roles/delete - Invalid id for ContributorRole : this is wide open... Andras On Oct 26, 2009, at 5:36 PM, audioworld wrote: Hello Andreas, thanks for checking, but as you can see from the app_controller above, I think I implemented the authentication properly. what you see at the link is just the index action, but when you klick on an add action: http://doidata.net/contributor_roles/add there is the correct error message: your are not allowed to acces this page so it is still unclear to me how the delete action can be used without authentication... On 26 Okt., 22:27, Andras Kende and...@kende.com wrote: Hello, Your site is not password protected so google robot just crawling through the delete links.. http://doidata.net/contributor_roles/ Andras On Oct 26, 2009, at 4:36 PM, audioworld wrote: I have a basic database management online athttp://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET / contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET / contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
You should use HTTP authentication. http://book.cakephp.org/view/473/Basic-HTTP-Authentication On Oct 26, 2:44 pm, Andras Kende and...@kende.com wrote: Your add action has auth but in your app_controller.php did you add any auth for delete action too ? http://doidata.net/contributor_roles/delete- Invalid id for ContributorRole : this is wide open... Andras On Oct 26, 2009, at 5:36 PM, audioworld wrote: Hello Andreas, thanks for checking, but as you can see from the app_controller above, I think I implemented the authentication properly. what you see at the link is just the index action, but when you klick on an add action: http://doidata.net/contributor_roles/add there is the correct error message: your are not allowed to acces this page so it is still unclear to me how the delete action can be used without authentication... On 26 Okt., 22:27, Andras Kende and...@kende.com wrote: Hello, Your site is not password protected so google robot just crawling through the delete links.. http://doidata.net/contributor_roles/ Andras On Oct 26, 2009, at 4:36 PM, audioworld wrote: I have a basic database management online athttp://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET / contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET / contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
Thanks, Gonzalo: I will add the 'exit()' function after the flash message, your thought is very good and welcome! Thanks also, Andras: as a simple fix, I just erased the delete actions in all the controllers for all the database tables, and just left the delete action for the function admin_delete this is not pretty, but it seems to close the most obvious authentication problems... I think I have to read the API documentation for authentication over and over again... Are there any pointers to a end-to-end explanation for a simple+secure authentication? I gathered my knowledge from little bits and pieces here and there, and this is not enough it seems.. best regards, karl. On 26 Okt., 22:44, Andras Kende and...@kende.com wrote: Your add action has auth but in your app_controller.php did you add any auth for delete action too ? http://doidata.net/contributor_roles/delete- Invalid id for ContributorRole : this is wide open... Andras On Oct 26, 2009, at 5:36 PM, audioworld wrote: Hello Andreas, thanks for checking, but as you can see from the app_controller above, I think I implemented the authentication properly. what you see at the link is just the index action, but when you klick on an add action: http://doidata.net/contributor_roles/add there is the correct error message: your are not allowed to acces this page so it is still unclear to me how the delete action can be used without authentication... On 26 Okt., 22:27, Andras Kende and...@kende.com wrote: Hello, Your site is not password protected so google robot just crawling through the delete links.. http://doidata.net/contributor_roles/ Andras On Oct 26, 2009, at 4:36 PM, audioworld wrote: I have a basic database management online athttp://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET / contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET / contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
Thanks, Miles: At the moment it is not completely clear to me how this is different from my way of authentication, but I will read an learn.. On 26 Okt., 22:50, Miles J mileswjohn...@gmail.com wrote: You should use HTTP authentication. http://book.cakephp.org/view/473/Basic-HTTP-Authentication On Oct 26, 2:44 pm, Andras Kende and...@kende.com wrote: Your add action has auth but in your app_controller.php did you add any auth for delete action too ? http://doidata.net/contributor_roles/delete-Invalid id for ContributorRole : this is wide open... Andras On Oct 26, 2009, at 5:36 PM, audioworld wrote: Hello Andreas, thanks for checking, but as you can see from the app_controller above, I think I implemented the authentication properly. what you see at the link is just the index action, but when you klick on an add action: http://doidata.net/contributor_roles/add there is the correct error message: your are not allowed to acces this page so it is still unclear to me how the delete action can be used without authentication... On 26 Okt., 22:27, Andras Kende and...@kende.com wrote: Hello, Your site is not password protected so google robot just crawling through the delete links.. http://doidata.net/contributor_roles/ Andras On Oct 26, 2009, at 4:36 PM, audioworld wrote: I have a basic database management online athttp://doidata.net The access to the admin section is secured with a simple authentication which is hardcoded in the file /config/core.php In theory, when someone without the admin cookie set, access to the routes ../resource/delete/ID should be blocked. However, when I try this URL in the browser, it really works WITHOUT atuhentication, and the database entry is deleted!!! This was demonstrated last night by Google Bot which seems to try our every possible route, and deleted most of my entries.. here are some lines from the APACHE acces log: 66.249.65.72 - - [24/Oct/2009:04:57:47 +0200] GET / contributor_roles/ delete/15 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) 66.249.65.72 - - [24/Oct/2009:05:00:30 +0200] GET / contributor_roles/ delete/12 HTTP/1.1 200 604 - Mozilla/5.0 (compatible; Googlebot/ 2.1; +http://www.google.com/bot.html) I am very thankful for any help to lock up my database edit/delete access, thanks, karl. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
It uses an HTTP authentication mechanism... you know, that thing that happens when your browser prompts your for a login, when you go to something restricted. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---
Re: Google Bot deleting my database entries!
you are violating protocol never allow GET recquests to change database no edit, no add, no delete if you (or a bot) access an url always use POST for those actions! then this won't happen besides this, the above solutions could be working work-arounds On 27 Okt., 00:15, Miles J mileswjohn...@gmail.com wrote: It uses an HTTP authentication mechanism... you know, that thing that happens when your browser prompts your for a login, when you go to something restricted. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups CakePHP group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~--~~~~--~~--~--~---