Databases Reference
In-Depth Information
the Hidden and Protected item type. Hence,
P2 USER ID
was still a Hidden item, but not protected from
tampering. Running the page gives the screen shown in Figure 8-7.
Figure 8-7.
The MY_USERS update form
Invoking Web Developer clearly shows the hidden item P2_USER_ID and its value of 1 (see Figure
8-8).
Figure 8-8.
MY_USERS form after invoking Web Developer
Show form details
At this point I could have randomly changed information on any user, but the goal was to find one
that might have a higher set of privileges than my own. Fortunately, the application provided a report of
all users, with a link to details about the user selected. Naturally, the link provided the user's underlying
ID. I assumed my friend might have higher privileges, so I chose his ID and inserted it into the