Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

AW: magic_quotes

From: "Michael Kluge" <michael.kluge () wundermedia de>
Date: Mon, 20 Jun 2005 17:31:22 +0200
Hello!

This is very unsafe! Imagine this case:
$DATA->id is "' OR (any_where_clause) OR id='"

So your SQL-Statement will be:
SELECT * FROM whatever WHERE id = '' OR (any_where_clause) OR id=''

So anybody can manipulate your SQL-Statment to return unwanted rows from your table.

This is an SQL injection vulnarability.

Better use something like mysql_escape_string().

See:
http://www.php.net/manual/en/function.mysql-escape-string.php


Regards,
Michael.



Hi everybody

I been coding for the last couple of days with PHP+MySQL and I've been
relaying A LOT in magic_quotes. I am wondering if it's (at 
least for the
moment) a safe thing to do. For example, consider the following code

$GDATA = (object) $_GET;
$PDATA = (object) $_POST;

if ($GDATA) $DATA = $GDATA;
else        $DATA = $PDATA;

$q = mysql_query ("SELECT * FROM whatever WHERE id = '$DATA->id'");

How safe is this?

I would appreciate hints & thoughts (TM)

Thanks,
Pablo Fernandez
Previous By Date Next
Previous By Thread Next

Current thread: