WebApp Sec mailing list archives
Re: Anyone have some basic security tips for PHP-programmers?
From: Härnhammar, Ulf <Ulf.Harnhammar.9485 () student uu se>
Date: Sat, 22 Nov 2003 22:41:52 +0100
Quoting tim () xi co nz:
From my point of view, magic_quotes is a bad idea, because it can't possibly cover every way data can enter your script, and it's counterproductive when you want to do other things with that data.
I agree. One more argument against magic quotes is that they provide a false sense of security, by not helping against some common cases of SQL Injections: the ones where you don't need to use any apostrophes or quotes. $sql = "DELETE FROM table WHERE id=$id AND permission=7"; $id = "id #"; Now $sql has the value "DELETE FROM table WHERE id=id # AND permission=7". Magic quotes won't help against that at all. Another argument against magic quotes is that they are switched on in php.ini. If you are not the system administrator of your web site (common for hobbyists or smaller companies), you may not have control over php.ini. Even if you do, things can get awkward with different PHP scripts on the same server that require different settings. A really good PHP application should therefore work equally well no matter the value of php.ini settings like register_globals and magic_quotes_gpc. -- Ulf Härnhammar, student, Uppsala universitet "Jag är en tvivelaktig figur / Duger ej mycket till" -- Cornelis Vreeswijk, "Somliga går med trasiga skor" Uggs != Cmectbb
Current thread:
- Anyone have some basic security tips for PHP-programmers? Matthews, Chris (Nov 14)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- <Possible follow-ups>
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 24)
- Re: Anyone have some basic security tips for PHP-programmers? Andreas (Nov 25)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 25)
- Re: Anyone have some basic security tips for PHP-programmers? Sverre H. Huseby (Nov 25)