INSERT INTO `users` ( `username` `password` `admin` )
VALUES ( $username, PASSWORD($password), 0 );
This sets all new users to "not admin" status. Now when I sign up on your site, you're not checking for malicious form inputs, so I fill out the username field like this....
jnichel, PASSWORD('password'), 1);#
What I've done, is set $username to the above, and the pound sign I added at the end of the username string has made the rest of YOUR sql query a comment. I just made myself a site admin.
Casey Crookston wrote:
Question: What is an SQL injection crack, and what did this developer
do wrong to make his site so crackable?
I want to be sure I'm not doing the same thing.
Casey
-----Original Message-----
From: J.R. Pitts [mailto:listuser@;wjponline.com] Sent: Friday, October 25, 2002 8:51 PM
To: [EMAIL PROTECTED]
Subject: [wdvltalk] ETHICS: Should I tell them their web site is
insecure?
Here's the situation.
Several months ago I was contacted by a potential client about doing a
web site for them. They wanted to provide a service through their web
site for which they would charge and accept payment via credit cards.
Long story shortened: I didn't get the job. I inquired a couple of
times, but was never re-contacted. I figured they just weren't going to
do it.
Well, they did do it, but had someone else program it. I was somewhat
miffed that they used someone else.
I was looking around the "free" area and noticed numerous spelling,
grammatical, and other errors. It hit me how unprofessional the job was;
and wondered just exactly how secure it was.
It was _very_ insecure. The web site was wide open to SQL injection
cracks. We're talking script-monkey easy.
There for the taking are all of their customer's names, addresses, id's
and passwords, SSN's, phone numbers, *CREDIT CARD NUMBERS AND EXPIRATION
DATES* with billing addresses.
Do I tell them? My initial reaction was to tell them. My main motivation
was "See what you got? You're gonna get hacked." I can tell them they
have a problem and here's what people can do. If you want me to tell you
how to fix it, that's gonna cost you.
I bounced this off some people whose opinion I deeply respect, but who
have no Internet law knowledge. The consensus is that I _had_ to tell
them they were vulnerable. I wasn't required to fix it for free or tell
them why they were vulnerable; but I had an ethical mandate to alert
them, because innocent people could get hurt.
But, if I tell them, they are going to want to know how I know. I
cracked into their web site. Although I would never use such
information, it could be argued that I performed an illegal activity
just by checking.
Other than checking with my lawyer, which I am already going to do, does
anyone have any suggestions? Anyone ever been in a similar situation.
J.R.
____ * The WDVL Discussion List from WDVL.COM * ____
To Join wdvltalk, Send An Email To: mailto:wdvltalk-join@;lists.wdvl.com Send Your Posts To: [EMAIL PROTECTED]
To change subscription settings to the wdvltalk digest version:
http://wdvl.internet.com/WDVL/Forum/#sub
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as:
[EMAIL PROTECTED] To unsubscribe send a blank email to
%%email.unsub%%
____ � The WDVL Discussion List from WDVL.COM � ____
To Join wdvltalk, Send An Email To: mailto:wdvltalk-join@;lists.wdvl.com Send Your Posts To: [EMAIL PROTECTED]
To change subscription settings to the wdvltalk digest version:
http://wdvl.internet.com/WDVL/Forum/#sub
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [EMAIL PROTECTED]
To unsubscribe send a blank email to %%email.unsub%%
____ � The WDVL Discussion List from WDVL.COM � ____
To Join wdvltalk, Send An Email To: mailto:wdvltalk-join@;lists.wdvl.com Send Your Posts To: [EMAIL PROTECTED]
To change subscription settings to the wdvltalk digest version:
http://wdvl.internet.com/WDVL/Forum/#sub
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
