Oklahoma Leaks 10,000 Social Security Numbers
“Apparently the folks at the Department of Corrections of Oklahoma just forgot to use common sense when they created the state’s Sexual and Violent Offender Registry. By putting SQL queries in the URLs, they not only leaked the personal data of tens of thousands of people, but enabled literally anyone with basic SQL knowledge to put his neighbor/boss/enemies on the sexual offender list. Fortunately, after the author of the blog The Daily WTF notified the department about the issue, the site went down for ‘routine maintenance’ on April 13 2008.”
comment:
This breaks my brain, even for the normally stereotypically slow, stereotypically technology-shy government (though I will say that a lot of the Government of Canada sites work surprisingly well in my experience).
SQL queries IN THE QUERY STRING. Someone reading their FIRST BOOK on web development would know not to do that! And now God help the people who have been affected by this: try proving to the government that you’re not a sexual offender when you’re already on their list.
SQL injections. [wikipedia.org] Learn them. Learn how to mitigate them [php.net] (a PHP-specific example, but there are similar mitigation techniques for other languages). And I mean, hell, in a site like this (and especially with programmers apparently this bad), stored procedures [wikipedia.org] might be the thing to implement. Or even better, use a framework like CakePHP [cakephp.org], Rails [rubyonrails.org], or Django [djangoproject.com] with this sort of sanitation built into the queries it generates.
Ugh. I hope someone gets fired for this. I bet, though, that in reality this was programmed by the lowest bidder.