I've read somewhere about Googlebot deleting data out of people's databases due to very poor security and using GETs in hyperlinks for database administration.
In my early telerobotics site I used GET vars in hyperlinks for controlling my robots, and I was finding that Googlebot was taking control of my toys - kind of cool and insecure at the same time. Perhaps that is what happened to Jeffrey on the new 2degrees ad with Rhys Darby. "That's an error!". -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Chris Burgess Sent: Wednesday, 15 July 2009 11:11 a.m. To: NZ PHP Users Group Subject: [phpug] GET/POST and safety first Yesterday I noticed that one of my customer's DNS control panels had GET links which would allow deletion of a DNS entry. Link prefetching and tools like Google Web Accelerator (where did that go?) caused a bunch of fuss in 2005 or so when they would tap every GET URL onscreen to "speed up" your web experience. Around that time, most folks who didn't already know why GET should be safe learned pretty fast. Seeing the same mistake today got me thinking, because I know why GET URIs should be safe (not change data, OK to fire repeatedly, idempotent if you like long words) and any request which does make a change in the backend system should be POST (or perhaps another request type which is not defined as safe). http://en.wikipedia.org/wiki/Hypertext_Transfer_Protocol#Safe_methods But we still see a lot of cases where the vote up / down links and other not-so-critical in web apps are GET. It's just easier, right? Even though it's not The Right Thing to do, it gets done sometimes. Where do you draw the line? What's the best example you've seen of where a GET request not being safe bit back? Mine: A customer, about to relocate hosting, decided to copy the data in their admin interface out using a web scraper. The admin interface, written in 1999 or so, used GET to delete records. The scraper did just that in a matter of minutes. --~--~---------~--~----~------------~-------~--~----~ NZ PHP Users Group: http://groups.google.com/group/nzphpug To post, send email to [email protected] To unsubscribe, send email to [email protected] -~----------~----~----~----~------~----~------~--~---
