Re: magic_quotes

[mickael kael <mickael.kael () gmail com>]

Hello,

Sorry to deviate the subject of the thread.

I see some code which use %2527 to bypass magic_quotes because %25
correspond to %. I try this technic with this code

(this is just a code for testing)
code : $sql = "SELECT nom FROM log where id='$id'";
url : test.php?id=999%2527%20UNION%20ALL%20SELECT%20nom%20FROM%20log%20where%20id=1/*
result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom
FROM log where id=1/*'

But it don't work, i think, Mysql not interpret %27.
I read on the thread that it is possible to bypass magic_quotes, but i
don't find any solution. So if someone say it is possible, it will be
interessant to have a poc.

Thanks in advance,

Mk,
On 23 Jun 2005 08:30:59 -0000, maarten () webfauna com
<maarten () webfauna com> wrote:
> I agree that magic quotes is not a very nice solution. Although it makes it a little harder to manipulate queries, it 
> will make your code less clear. Some strings in you application are escaped (from POST data) and some are not (e.g. 
> from database.) Sometimes it's not completly clear what the origin of a variable (string) is.
> I think it's easier and safer if you can concider all strings to be unescaped and make sure you escape them in a 
> query.
> You need clear and easy to understand code to make your application secure.
>
> In this case, I'd also use the intval() function. If you want an integer value, this makes sure it is.
>
> Greets,
> Maarten