Peter Lauri wrote:
Hi all,
I saw some strange error messages from a site when I was surfing it, and it
was in form of SQL. I did some testing of the security of the SQL injection
protection of that site, and it showed it was not that protected against SQL
injections. To show this to them, I deleted my own record in their database
after finding out the table name of the "entity" in the database. I also
found out a lot of other that I think is important table names.
What I did to them was to report this to them, and inform them about the
damage I created, and what could have been done. (I did DELETE FROM
tablename WHERE id=1234, what if I did DELETE FROM tablename, destruction if
no backup). This is a large "athletic site" in Sweden, with more then
100,000 daily visitors.
What I am a little bit worried about is the legal part of this; can I be
accused of breaking some laws? I was just doing it to check if they were
protected, and I informed them about my process etc. I only deleted my
record, no one else's. In Sweden it might have been called "computer
break-in", but I am not sure.
Anyone with experience of a similar thing?
Best regards,
Peter Lauri
read http://shiflett.org/archive/236
--
life is a game... so have fun.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
