bradgrafelman
08-20-2007, 12:41 AM
Okay, let me preface this with a little background info:
Before I left for college here in Missouri, my local bank back in Illinois offered "gift cards" - MasterCard credit cards with a prepaid load that you could use just like a normal credit card. These cards come with a feature that allows you to check their balance online. The online "card manager" that stores the cards you buy only lists the first 4 digits and the last 4 digits.
Well, I didn't think to bring along one of my cards (I have several - all but one have $0 load) until I checked the balance online earlier this week - it still had $75! So tonight, I decided I wanted to use it, but didn't know the numbers. While composing an e-mail to my parents to e-mail me the card info, I noticed an error message on the online website while checking it's balance once again:
ExecuteSQL Error:
Timeout expired
SELECT sCarCardNum, dCarExp, iCarStatus, iCarPrdId, iCarOrdId, iCarOdtId, iPrgEntIdClient, iPrgEntIdClient, fPos, IsNull(iord.dOrdOrder,bord.dOrdOrder) dOrder, IsNull(iord.fOdtLoadAmount,bodt.fOdtLoadAmount) fOdt, fOdj, dGcbLocked, sPcaIdValue, sPcaIdValuePicture FROM mcr_cardnum_car INNER JOIN mpm_product_prd ON iPrdId = iCarPrdId INNER JOIN mpm_program_prg ON iPrgEntId = iPrdPrgEntId LEFT JOIN mpm_gcblock_gcb ON sGcbCardNum = sCarCardNum LEFT JOIN mpm_order_ord bord ON bord.iOrdId = iCarOrdId LEFT JOIN mpm_orderdetail_odt bodt ON bodt.iOdtOrdId = iCarOrdId AND bodt.iOdtId = iCarOdtId LEFT JOIN mcr_personalizedcard_pca ON sPcaCardNumInstant = sCarCardNum LEFT JOIN ( SELECT dOrdOrder, fOdtLoadAmount FROM mpm_orderdetail_odt INNER JOIN mpm_order_ord ON iOrdId = iOdtOrdId WHERE sOdtCardNum = 'xxxxxxxxxxxxxxxxx' ) iord ON 1=1 LEFT JOIN ( SELECT IsNull(Sum(fOdjAmount),0) fOdj FROM mcr_orderadj_odj WHERE sOdjCardNum = 'xxxxxxxxxxxxxxxxx' AND iOdjTypId = 56 ) o ON 1=1 LEFT JOIN ( SELECT TOP 1 IsNull(fPosTranAmount,0) fPos FROM mcr_posttran_pos WHERE sPosCardNum = 'xxxxxxxxxxxxxxxxx' AND iPosMetIdTranCode = 27 ANd sPosTranAmountSign = '+' ORDER BY dPosTran ) aa ON 1=1 WHERE sCarCardNum = 'xxxxxxxxxxxxxxxxx' Where you see x's, I saw my actual credit card number.
At first I was glad I didn't have to worry about e-mailing my parents. Then I realized... just how secure is this online banking site if I just saw the contents of a SQL query? And let's not talk about reliability, seeing as how I got a SQL timeout message... :mad:
Before I left for college here in Missouri, my local bank back in Illinois offered "gift cards" - MasterCard credit cards with a prepaid load that you could use just like a normal credit card. These cards come with a feature that allows you to check their balance online. The online "card manager" that stores the cards you buy only lists the first 4 digits and the last 4 digits.
Well, I didn't think to bring along one of my cards (I have several - all but one have $0 load) until I checked the balance online earlier this week - it still had $75! So tonight, I decided I wanted to use it, but didn't know the numbers. While composing an e-mail to my parents to e-mail me the card info, I noticed an error message on the online website while checking it's balance once again:
ExecuteSQL Error:
Timeout expired
SELECT sCarCardNum, dCarExp, iCarStatus, iCarPrdId, iCarOrdId, iCarOdtId, iPrgEntIdClient, iPrgEntIdClient, fPos, IsNull(iord.dOrdOrder,bord.dOrdOrder) dOrder, IsNull(iord.fOdtLoadAmount,bodt.fOdtLoadAmount) fOdt, fOdj, dGcbLocked, sPcaIdValue, sPcaIdValuePicture FROM mcr_cardnum_car INNER JOIN mpm_product_prd ON iPrdId = iCarPrdId INNER JOIN mpm_program_prg ON iPrgEntId = iPrdPrgEntId LEFT JOIN mpm_gcblock_gcb ON sGcbCardNum = sCarCardNum LEFT JOIN mpm_order_ord bord ON bord.iOrdId = iCarOrdId LEFT JOIN mpm_orderdetail_odt bodt ON bodt.iOdtOrdId = iCarOrdId AND bodt.iOdtId = iCarOdtId LEFT JOIN mcr_personalizedcard_pca ON sPcaCardNumInstant = sCarCardNum LEFT JOIN ( SELECT dOrdOrder, fOdtLoadAmount FROM mpm_orderdetail_odt INNER JOIN mpm_order_ord ON iOrdId = iOdtOrdId WHERE sOdtCardNum = 'xxxxxxxxxxxxxxxxx' ) iord ON 1=1 LEFT JOIN ( SELECT IsNull(Sum(fOdjAmount),0) fOdj FROM mcr_orderadj_odj WHERE sOdjCardNum = 'xxxxxxxxxxxxxxxxx' AND iOdjTypId = 56 ) o ON 1=1 LEFT JOIN ( SELECT TOP 1 IsNull(fPosTranAmount,0) fPos FROM mcr_posttran_pos WHERE sPosCardNum = 'xxxxxxxxxxxxxxxxx' AND iPosMetIdTranCode = 27 ANd sPosTranAmountSign = '+' ORDER BY dPosTran ) aa ON 1=1 WHERE sCarCardNum = 'xxxxxxxxxxxxxxxxx' Where you see x's, I saw my actual credit card number.
At first I was glad I didn't have to worry about e-mailing my parents. Then I realized... just how secure is this online banking site if I just saw the contents of a SQL query? And let's not talk about reliability, seeing as how I got a SQL timeout message... :mad: