From: Ad 

ROFLMAO it has an appreciation site:

http://www.apostropheor1equals1dashdash.com/


Adam

Ad wrote:
> OK...we're deploying a webservice & esp wrt the recent fun & games wrt
> NHS systems up on't net & the security associated e.g.
>
> http://news.bbc.co.uk/1/hi/uk_politics/6594111.stm
>
> "The Department of Health has apologised for an apparent security lapse
> which allowed the personal details of junior doctors to be accessed online.
>
> Channel 4 News reported that a breach on the NHS Medical Training
> Application Service website allowed public access for at least eight hours.
>
> The department said the details had only been available briefly, and
> only to people making employment checks.
>
> Shadow health secretary Andrew Lansley said it was shocking and
> unacceptable.
>
> On Wednesday, Channel 4 News reported that a doctor had alerted them to
> a security breach allowing confidential details to be accessed. "
>
> So we're having our systems comprehensively pentested prior to public
> availability
>
> anyway...
>
> neat SQL injection
>
> imagine a system which is eval'ing a user against a db using SQL
>
> std 1st line of SQL = "Select * from tableX where fieldA ='"
>
> e.g. tableX = "user" & fieldA = userID but it doesn't
really matter as
> the system is basically looking for a boolean & if true let him in &
> give him a sessionId.....
>
> So.....fieldA value posted in form the webform =
>
>  ' or 1=1 --
>
>
>
> Neat.
>
>
> Adam

--- BBBS/NT v4.01 Flag-5