lederhosen (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
lederhosen) wrote2008-04-23 05:43 pm
lederhosen) wrote2008-04-23 05:43 pm
Not such a good idea
Via RISKS:
The Oklahoma Department of Corrections published a web interface where the URL contained the SQL query executed to retrieve the data to be reported. Thus, any knowledgeable user could execute general SQL queries against a database containing large amounts of personal information -- including UPDATE statements (!) It was taken down only after management was shown that THEIR personal information was available.
The Oklahoma Department of Corrections published a web interface where the URL contained the SQL query executed to retrieve the data to be reported. Thus, any knowledgeable user could execute general SQL queries against a database containing large amounts of personal information -- including UPDATE statements (!) It was taken down only after management was shown that THEIR personal information was available.
no subject
Apparently the loophole existed for three years. I wonder what, if anything, they're going to do to verify that what they have now is accurate o.O