On Fri, 2006-04-21 at 17:59, Nicolas Verhaeghe wrote: > [snip] > > Some guys are shaking their heads in denial on this, but I swear to god, I > have seen it. I am not making this [bleep] up. Credit card numbers have > been sitting for YEARS in some boutique home-rolled shopping cart system > MySQL database with the oh-so-clever username/password of nobody/nobody or > www/www > > [/snip] > > ---------------------------- > > I know what you are talking about, I have seen that type of tables with > literally thousands of CC numbers collected over the years, along with name > on the card and expiry, of course. > > As a programmer it is your duty to report this to your client and to keep > track, because if one day someone resells this list, you could be liable. *hahah* I've seen it too, in the database, and then the guy also had a debug log that wrote the data to the log file. Bigger problem was that the log file was xwrxwrxwr right smack in request land with no access restrictions :/ He never turned the debug log off. Cheers, Rob. -- .------------------------------------------------------------. | InterJinn Application Framework - http://www.interjinn.com | :------------------------------------------------------------: | An application and templating framework for PHP. Boasting | | a powerful, scalable system for accessing system services | | such as forms, properties, sessions, and caches. InterJinn | | also provides an extremely flexible architecture for | | creating re-usable components quickly and easily. | `------------------------------------------------------------' -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
