Security Basics mailing list archives
Re: magic_quotes
From: Christoph 'knurd' Jeschke <christoph.jeschke () gmail com>
Date: Wed, 22 Jun 2005 12:33:13 +0200
Pablo Fernández wrote:
Again, the question I asked is in the scenario where magic_quotes *IS ENABLED*
Through casting the GET/POST to object, PHP will warn/error you, if there is something rotten in the $(G|P)DATA-string when it's evaluated at mysql_query() - if PHP is not bogus - something you really can't rely on (Bugs are everywhere!). But if you only rely on magic_quotes_runtime (MQR), your application will be easily affected, if the MQR-mechanism is not as good as you thought. So use additionally mysql_real_escape_string and Stored Procedures. Second and third defense line are always good. Ah, and ... use $_REQUEST so you don't have to check where the data came from. And don't forget a acceptable error handling (and logging). Greetings, Chris
Current thread:
- magic_quotes Pablo Fernández (Jun 20)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 22)
- Re: magic_quotes Pablo Fernández (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Ben Sytko (Jun 20)
- <Possible follow-ups>
- Re: RE: magic_quotes miguel . vieira (Jun 22)
- Re: magic_quotes maarten (Jun 24)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 27)
- Re: magic_quotes mickael kael (Jun 27)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 28)
- Re: magic_quotes Tony Stahler (Jun 28)