Received an email newsletter from some company, and decided to unsubscribe. Clicking on the link gave me this page:
For some reason, Senior Send have decided it’s a good idea to output what SQL they’re using to delete me from their client’s mailing list. This sometimes happens, especially with Coldfusion, when you accidentally get an error. It’s not a good idea to display this much information even then. It’s an even worse idea to display this to any or all of your users.
SELECT id,status_id, mail_subscriber.name FROM mail_subscriber WHERE id = 94523 found 1
And the URL looks like:
http://internal.seniordev.co.uk/mailer/mail_unsubscribe.asp?id=696&subscriber=94523
I wonder what happens if I just change the subscriber ID to anything else? How long would it take to write a script to loop from 1 to 94522 deleting all users?
Maybe they should have just passed my email address, or a UUID, or an encrypted version of my ID. Maybe they shouldn’t have output their SQL.
