Peter Lauri wrote: > Thank you all for your replies; it has been interesting to read. I am just > waiting for the webmaster to reply to me with his thoughts. > > My intentions for this were to help, not to break, so I do indeed hope that > they will not take legal action for it. A friend of mine hoped that they > would use the law against me, it would just increase the publicity for me, > and that might increase the value of my services. And he was also sure that > they would never win the case. > > I was for a while thinking about using my "private" yahoo email to not > disclose my name, however, that felt like "hiding for something you did not > do". > > One at the forum sent me an message off the list and said: "You got bigger > balls than me. :-)", what did he mean with that? he meant you have guts (more than him) to do what you did given the current sue-you-if-you-help attitude in IT land. (plenty of IT 'manager' types, the police, the FBI, you-name-it can't smell the difference between a whitehat and a blackhat - so they throw everyone on the blackhat pile) I did not know that the php > list also shows the web cam at the same time. "I better watch out"... > > Best regards, > Peter Lauri > > > > > -----Original Message----- > From: Peter Lauri [mailto:lists@xxxxxxxxxxx] > Sent: Wednesday, August 02, 2006 11:17 PM > To: php-general@xxxxxxxxxxxxx > Subject: SQL injection > > Hi all, > > > > I saw some strange error messages from a site when I was surfing it, and it > was in form of SQL. I did some testing of the security of the SQL injection > protection of that site, and it showed it was not that protected against SQL > injections. To show this to them, I deleted my own record in their database > after finding out the table name of the "entity" in the database. I also > found out a lot of other that I think is important table names. > > > > What I did to them was to report this to them, and inform them about the > damage I created, and what could have been done. (I did DELETE FROM > tablename WHERE id=1234, what if I did DELETE FROM tablename, destruction if > no backup). This is a large "athletic site" in Sweden, with more then > 100,000 daily visitors. > > > > What I am a little bit worried about is the legal part of this; can I be > accused of breaking some laws? I was just doing it to check if they were > protected, and I informed them about my process etc. I only deleted my > record, no one else's. In Sweden it might have been called "computer > break-in", but I am not sure. > > > > Anyone with experience of a similar thing? > > > > Best regards, > > Peter Lauri > > > > > > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
