Not such a good idea

[lederhosen]

Via RISKS:

The Oklahoma Department of Corrections published a web interface where the URL contained the SQL query executed to retrieve the data to be reported. Thus, any knowledgeable user could execute general SQL queries against a database containing large amounts of personal information -- including UPDATE statements (!) It was taken down only after management was shown that THEIR personal information was available.

Comments

[cheshire-bitten.livejournal.com]

That is creepy.

[chaos-crafter.livejournal.com]

UI've been meaning to write a site like that. :) The thing is I plan to do one that appears to generate results, but is actually making them up. Also after the nth request from the same place it starts responding with things like "You just don't get it do you? I'm making this all up"

[nefaria.livejournal.com]

http://imaserialkiller.com/UPDATE_prison_record_SET_release_date=SYSDATE

[lederhosen.livejournal.com]

DROP TABLE would work pretty well, too...

[terrycloth.livejournal.com]

It was the sex offenders' registry. You could *add* people to the sex offenders' registry.

[lederhosen.livejournal.com]

It was supposed to be the sex offenders' registry, but it achieved that by subselecting from a larger database - looks like if you substituted the right snippet of SQL you could access non-SO records, including not only prisoners but DOC staff.

Apparently the loophole existed for three years. I wonder what, if anything, they're going to do to verify that what they have now is accurate o.O