[WEB SECURITY] security audit - how to avoid legal prosecution

Martin O'Neal martin.oneal at corsaire.com
Thu Jun 9 08:24:50 EDT 2005

> not the intended purpose? I'm searching for it!
> Same applies to my personal password:
>   ' or 1=1 '--

This hinges (as others have pointed out) on intent and reasonableness.

As joe punter in the street it would be reasonable to expect that simply
entering your name (O'Reilly) into a site and generating a SQL error was
not the desired outcome. No intent.

As a knowledgeable hacker/consultant, entering a complex SQL injection
string into a form the reasonableness test would swing the other way; it
would be reasonable (given your background) to expect you to understand
what you are doing, and the likely results. Intent.


CONFIDENTIALITY:  This e-mail and any files transmitted with it are
confidential and intended solely for the use of the recipient(s) only.
Any review, retransmission, dissemination or other use of, or taking
any action in reliance upon this information by persons or entities
other than the intended recipient(s) is prohibited.  If you have
received this e-mail in error please notify the sender immediately
and destroy the material whether stored on a computer or otherwise.
DISCLAIMER:  Any views or opinions presented within this e-mail are
solely those of the author and do not necessarily represent those
of Corsaire Limited, unless otherwise specifically stated.
Corsaire Limited, 3 Tannery House, Tannery Lane, Send, Surrey, GU23 7EF
Telephone: +44(0)1483-226000  Email:info at corsaire.com

The Web Security Mailing List

The Web Security Mailing List Archives

More information about the websecurity mailing list