CGI Tutorial

[Paul Rubin]

Lawrence D'Oliveiro <ldo at geek-central.gen.new_zealand> writes:
> > lower. Just last week a police employee in my class told us of an
> > exploit where a major credit card copmany's web site had been hacked
> > using a SQL injection vulnerability. This is usually done with the
> > intent of gaining access to credit card data.
> 
> If they can do that, it doesn't seem much of a step to compromise the code
> that decrypts the credit card data, as well. Keeping it encrypted, when the
> key needs to be kept at the same (in)security level, is just
> security-through-obscurity.

Keys in such sites are supposed to be kept more secure than the stuff
in the db.