RE: SQL injection

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Thank you all for your replies; it has been interesting to read. I am just
waiting for the webmaster to reply to me with his thoughts.

My intentions for this were to help, not to break, so I do indeed hope that
they will not take legal action for it. A friend of mine hoped that they
would use the law against me, it would just increase the publicity for me,
and that might increase the value of my services. And he was also sure that
they would never win the case.

I was for a while thinking about using my "private" yahoo email to not
disclose my name, however, that felt like "hiding for something you did not
do".

One at the forum sent me an message off the list and said: "You got bigger
balls than me. :-)", what did he mean with that? I did not know that the php
list also shows the web cam at the same time. "I better watch out"...

Best regards,
Peter Lauri




-----Original Message-----
From: Peter Lauri [mailto:lists@xxxxxxxxxxx] 
Sent: Wednesday, August 02, 2006 11:17 PM
To: php-general@xxxxxxxxxxxxx
Subject:  SQL injection

Hi all,

 

I saw some strange error messages from a site when I was surfing it, and it
was in form of SQL. I did some testing of the security of the SQL injection
protection of that site, and it showed it was not that protected against SQL
injections. To show this to them, I deleted my own record in their database
after finding out the table name of the "entity" in the database. I also
found out a lot of other that I think is important table names.

 

What I did to them was to report this to them, and inform them about the
damage I created, and what could have been done. (I did DELETE FROM
tablename WHERE id=1234, what if I did DELETE FROM tablename, destruction if
no backup). This is a large "athletic site" in Sweden, with more then
100,000 daily visitors.

 

What I am a little bit worried about is the legal part of this; can I be
accused of breaking some laws? I was just doing it to check if they were
protected, and I informed them about my process etc. I only deleted my
record, no one else's. In Sweden it might have been called "computer
break-in", but I am not sure.

 

Anyone with experience of a similar thing?

 

Best regards,

Peter Lauri

 

 

 

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux