A normally operating Web server would output only the result of the script operation and would never disclose its source code. Nevertheless, omnipresent implementation errors result in the script code sometimes becoming available. Both the server and the script processed by it might be responsible for this. Errors in scripts are often encountered because practically everyone writes scripts without having even the vaguest idea of security. Servers usually are tested carefully . As a rule, the main security holes in servers are eliminated during beta testing.
In this chapter, attention will be focused on hacking the database. When investigating the script body, it is possible to find lots of interesting information, including field names, table names , and master passwords stored as plaintext (Listing 28.2).
... if ($filename eq "passwd") # Check for correctness ...