Not such a good idea
Apr. 23rd, 2008 05:43 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
lederhosenVia RISKS:
The Oklahoma Department of Corrections published a web interface where the URL contained the SQL query executed to retrieve the data to be reported. Thus, any knowledgeable user could execute general SQL queries against a database containing large amounts of personal information -- including UPDATE statements (!) It was taken down only after management was shown that THEIR personal information was available.
The Oklahoma Department of Corrections published a web interface where the URL contained the SQL query executed to retrieve the data to be reported. Thus, any knowledgeable user could execute general SQL queries against a database containing large amounts of personal information -- including UPDATE statements (!) It was taken down only after management was shown that THEIR personal information was available.
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2008-04-23 10:47 pm (UTC)Apparently the loophole existed for three years. I wonder what, if anything, they're going to do to verify that what they have now is accurate o.O