Professional Web Applications Themes

submitted for your amusement... - PHP Development

Hi, Thought you might get a kick out of this. It happened a few days ago. A couple years ago I set up a small database to hold the Portfolio information (we're an ad agency) of the company I work for. It had categories like Posters, Billboards, Logos, Jingles, etc. and examples of each. The PHP/MySQL backend fed the info to a Flash file, which displayed the text, graphics and multimedia. I was quite a bit less experienced then than I am now and decided not to password protect the directory I use to administer the database until the development ...

  1. #1

    Default submitted for your amusement...

    Hi,

    Thought you might get a kick out of this. It happened a few days ago.

    A couple years ago I set up a small database to hold the Portfolio information
    (we're an ad agency) of the company I work for. It had categories like Posters,
    Billboards, Logos, Jingles, etc. and examples of each. The PHP/MySQL backend
    fed the info to a Flash file, which displayed the text, graphics and
    multimedia.

    I was quite a bit less experienced then than I am now and decided not to
    password protect the directory I use to administer the database until the
    development was finished. There was no real data in it yet, so why bother?
    Needless to say, I forgot to password protect it, even after I entered the live
    data.

    Skip ahead to last week.

    My boss asked me to look at the Portfolio. It seems he was demonstrating it to
    a client and it was empty. Checking the DB from the command line, I realized
    all the data was gone. "Someone hacked the site!", was my first thought, but I
    quickly re-discovered that there was no password protection and my heart sank.
    "They just guessed at the URL and deleted everything", was my next thought. But
    I thought it weird that they'd delete everything, but not add a category like
    "Windoze sux0rs!" or something equally witty. I checked the logs, vowing to
    make the s pay. I found they did it about 2 weeks previous and noted
    their IP. I also noticed their browser was "ia_archiver", which rang a bell but
    I couldn't quite figure out where I knew that name. On to ARIN to look up who
    the IP belongs to... Answer: Alexa Internet. "Alexa" sounded familiar too.
    They make the toolbar I use to help track our sites' popularity. I wondered if
    they were also an ISP. Probably not, they didn't have many IP addresses.

    Then it hit me: the Alexa toolbar sends to Alexa the pages you visit. An Alexa
    bot then crawls the sites you visit and ranks them. The "delete" button on the
    portfolio script was a simple link, with only a Javascript confirmation (I'm the
    only one who updates the portfolio, so why bother with real buttons and a real
    confirmation screen?). So no JS means to confirmation. The Alexa bot crawled
    the site and deleted every damn record and I was the one who not only left the
    door open, but showed it where it was...

    Happy Ending: our hosting company had backup tapes. They sent me the files, I
    installed them and everything's back up and running.

    Oh, and I set up password protection :o)

    Shawn
    --
    Shawn Wilson
    [email]shawnglassgiant.com[/email]
    [url]http://www.glassgiant.com[/url]
    Shawn Wilson Guest

  2. #2

    Default Re: submitted for your amusement...

    "Shawn Wilson" <shawnglassgiant.com> wrote in message
    news:3F69FC97.F037610Dglassgiant.com...
    > Happy Ending: our hosting company had backup tapes. They sent me the
    files, I
    > installed them and everything's back up and running.
    well, if there were no tapes, maybe you would find your pages in Alexa
    internet archieve, I mean Alexa bot collected them for that purpose ;>>

    rush
    --
    [url]http://www.templatetamer.com/[/url]



    rush Guest

  3. #3

    Default Re: submitted for your amusement...

    He mean his mysql database content, and this can't be archived by a bot.


    "rush" <piparush.avalon.hr> a écrit dans le message de
    news:bkcv55$fik$1ls219.htnet.hr...
    > "Shawn Wilson" <shawnglassgiant.com> wrote in message
    > news:3F69FC97.F037610Dglassgiant.com...
    > > Happy Ending: our hosting company had backup tapes. They sent me the
    > files, I
    > > installed them and everything's back up and running.
    >
    > well, if there were no tapes, maybe you would find your pages in Alexa
    > internet archieve, I mean Alexa bot collected them for that purpose ;>>
    >
    > rush
    > --
    > [url]http://www.templatetamer.com/[/url]
    >
    >
    >

    Savut Guest

  4. #4

    Default Re: submitted for your amusement...

    On Thu, 18 Sep 2003 15:42:31 -0300, Shawn Wilson <shawnglassgiant.com> wrote:
    >Then it hit me: the Alexa toolbar sends to Alexa the pages you visit. An Alexa
    >bot then crawls the sites you visit and ranks them. The "delete" button on the
    >portfolio script was a simple link, with only a Javascript confirmation (I'm the
    >only one who updates the portfolio, so why bother with real buttons and a real
    >confirmation screen?). So no JS means to confirmation. The Alexa bot crawled
    >the site and deleted every damn record and I was the one who not only left the
    >door open, but showed it where it was...
    Heh - ouch.

    This is covered in the HTML specification of course :-)

    [url]http://www.w3.org/TR/html4/interact/forms.html#submit-format[/url]

    "The "get" method should be used when the form is idempotent (i.e., causes no
    side-effects). Many database searches have no visible side-effects and make
    ideal applications for the "get" method.

    If the service associated with the processing of a form causes side effects
    (for example, if the form modifies a database or subscription to a service),
    the "post" method should be used."

    It's also why I'm hesitating running any sort of search engine on the intranet
    at work!

    --
    Andy Hassall (andyandyh.co.uk) icq(5747695) ([url]http://www.andyh.co.uk[/url])
    Space: disk usage ysis tool ([url]http://www.andyhsoftware.co.uk/space[/url])
    Andy Hassall Guest

  5. #5

    Default Re: submitted for your amusement...

    "Savut" <webkihotmail.com> wrote in message
    news:Msnab.7707$BT1.354429news20.bellglobal.com.. .
    > He mean his mysql database content, and this can't be archived by a bot.
    I understood that, I just made a joke. (as indicated by smilley at the end)

    rush
    --
    [url]http://www.templatetamer.com/[/url]



    rush Guest

  6. #6

    Default Re: submitted for your amusement...

    Andy Hassall wrote:
    >
    > On Thu, 18 Sep 2003 15:42:31 -0300, Shawn Wilson <shawnglassgiant.com> wrote:
    >
    > >Then it hit me: the Alexa toolbar sends to Alexa the pages you visit. An Alexa
    > >bot then crawls the sites you visit and ranks them. The "delete" button on the
    > >portfolio script was a simple link, with only a Javascript confirmation (I'm the
    > >only one who updates the portfolio, so why bother with real buttons and a real
    > >confirmation screen?). So no JS means to confirmation. The Alexa bot crawled
    > >the site and deleted every damn record and I was the one who not only left the
    > >door open, but showed it where it was...
    >
    > Heh - ouch.
    >
    > This is covered in the HTML specification of course :-)
    >
    > [url]http://www.w3.org/TR/html4/interact/forms.html#submit-format[/url]
    >
    > "The "get" method should be used when the form is idempotent (i.e., causes no
    > side-effects). Many database searches have no visible side-effects and make
    > ideal applications for the "get" method.
    I realize that now. Like I said, I did this a while ago. I didn't see the harm
    at the time. I do now.

    I read and I forget.
    I see and I remember.
    I do and I understand.

    Shawn
    --
    Shawn Wilson
    [email]shawnglassgiant.com[/email]
    [url]http://www.glassgiant.com[/url]
    Shawn Wilson Guest

Similar Threads

  1. Submitted drafts do not appear
    By Kevin in forum Macromedia Contribute General Discussion
    Replies: 1
    Last Post: June 6th, 06:56 PM
  2. Acrobat Form submitted to CF
    By optoinfo in forum Macromedia ColdFusion
    Replies: 0
    Last Post: June 7th, 01:34 PM
  3. Form Fields Submitted
    By bpowers27 in forum Macromedia ColdFusion
    Replies: 2
    Last Post: March 4th, 05:55 PM
  4. An amusement arcade style coin pusher using havok
    By James Adams in forum Macromedia Director 3D
    Replies: 0
    Last Post: January 29th, 09:34 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139