30 Jul
2002
30 Jul
'02
8:18 a.m.
"DN" == Dale Newfield <Dale@Newfield.org> writes:
DN> On Tue, 30 Jul 2002, Chuq Von Rospach wrote:
>> What got in was -- htDig, the search engine. Which happily
>> follows all links, including, if you let it spider phpMyAdmin,
>> the "delete this database" links. Including the database
>> holding all of the MySQL configuration and account info. Which
>> causes MySQL to die. Which...
DN> I've thought for a while that phpMyAdmin was making a mistake
DN> with GET links for all those actions--they should be POST
DN> buttons, and spiders would not be able to do this.We had this discussion a while back w.r.t. Mailman's web confirmation pages. It was pointed out (forcefully ;) that GETs shouldn't have side effects, and should be reproducible, so the web confirmations were turned into POSTs. Sounds like phpMyAdmin is violating the conventions.
As an added precaution, for non-undoable actions like deleting a list, Mailman requires the list admin password, even though it knows you're authenticated.
-Barry