Thank you all for your replies; it has been interesting to read. I am just waiting for the webmaster to reply to me with his thoughts.
My intentions for this were to help, not to break, so I do indeed hope that they will not take legal action for it. A friend of mine hoped that they would use the law against me, it would just increase the publicity for me, and that might increase the value of my services. And he was also sure that they would never win the case. I was for a while thinking about using my "private" yahoo email to not disclose my name, however, that felt like "hiding for something you did not do". One at the forum sent me an message off the list and said: "You got bigger balls than me. :-)", what did he mean with that? I did not know that the php list also shows the web cam at the same time. "I better watch out"... Best regards, Peter Lauri -----Original Message----- From: Peter Lauri [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 02, 2006 11:17 PM To: php-general@lists.php.net Subject: [PHP] SQL injection Hi all, I saw some strange error messages from a site when I was surfing it, and it was in form of SQL. I did some testing of the security of the SQL injection protection of that site, and it showed it was not that protected against SQL injections. To show this to them, I deleted my own record in their database after finding out the table name of the "entity" in the database. I also found out a lot of other that I think is important table names. What I did to them was to report this to them, and inform them about the damage I created, and what could have been done. (I did DELETE FROM tablename WHERE id=1234, what if I did DELETE FROM tablename, destruction if no backup). This is a large "athletic site" in Sweden, with more then 100,000 daily visitors. What I am a little bit worried about is the legal part of this; can I be accused of breaking some laws? I was just doing it to check if they were protected, and I informed them about my process etc. I only deleted my record, no one else's. In Sweden it might have been called "computer break-in", but I am not sure. Anyone with experience of a similar thing? Best regards, Peter Lauri -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
