So, just when i thought i had seen it all… this is the REQUEST, as captured by Fiddler.
Yes, you read that right… the SWF builds the request and sends it through to the web server; in plain text.
(i’ve modified the actual contents of the SQL, naturally)
POST /flashsql.php?id=106 HTTP/1.1
= QUERYSTRING ====
= BODY ====
Â sql_=SELECT DISTINCT(Â id ), name, filename FROMÂ table LEFT
JOINÂ table2 ON ( id = id ) LEFT JOIN
table3Â ON ( id = id ) LEFT JOINÂ table4 ON
( id = id ) LEFT JOINÂ table5 ON ( id = id ) WHERE id IN(155,150,52,149,134,133,76) AND
typeId=9 ORDER BY id
5 tables, no less and a database name. And a file on the server that happily accepts any SQL for execution. Oh, and this was an e-commerce website.
They were notified and they have subsequently made things a lot more secure.