Duncan's blog

November 19, 2008

Information you shouldn’t display to users

Filed under: Web — duncan @ 5:26 pm
Tags: , , ,

Received an email newsletter from some company, and decided to unsubscribe. Clicking on the link gave me this page:
Senior Send

For some reason, Senior Send have decided it’s a good idea to output what SQL they’re using to delete me from their client’s mailing list. This sometimes happens, especially with Coldfusion, when you accidentally get an error. It’s not a good idea to display this much information even then. It’s an even worse idea to display this to any or all of your users.

SELECT id,status_id, mail_subscriber.name FROM mail_subscriber WHERE id = 94523

found 1

And the URL looks like:
http://internal.seniordev.co.uk/mailer/mail_unsubscribe.asp?id=696&subscriber=94523

I wonder what happens if I just change the subscriber ID to anything else? How long would it take to write a script to loop from 1 to 94522 deleting all users?

Maybe they should have just passed my email address, or a UUID, or an encrypted version of my ID. Maybe they shouldn’t have output their SQL.

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: