![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
Not such a good idea
Apr. 23rd, 2008 05:43 pmVia RISKS:
The Oklahoma Department of Corrections published a web interface where the URL contained the SQL query executed to retrieve the data to be reported. Thus, any knowledgeable user could execute general SQL queries against a database containing large amounts of personal information -- including UPDATE statements (!) It was taken down only after management was shown that THEIR personal information was available.
The Oklahoma Department of Corrections published a web interface where the URL contained the SQL query executed to retrieve the data to be reported. Thus, any knowledgeable user could execute general SQL queries against a database containing large amounts of personal information -- including UPDATE statements (!) It was taken down only after management was shown that THEIR personal information was available.
