Penetration Testing mailing list archives
Re: Magic Quotes question
From: "Sanjay R" <2sanjayr () gmail com>
Date: Tue, 23 Jan 2007 09:42:45 +0530
the reply may not be directly addressing your issues, but can give some inkling (read from Shiflett's article).... in case, GBK character set is involved, you can try using intelligent encoding. In GBK, 0xbf27 is not a valid multi-byte character, but 0xbf5c is a valid one. so, what does it say? we assume that addslashes() is being used. so, for single quotes 0x27, we will write 0xbf27. addslashes will change this to 0xbf5c27 i.e 0xbf5c and 0x27. On 1/20/07, Tim <tim-pentest () sentinelchicken org> wrote:
> Why wouldnt you just put the escape function inside of the database > query et al API function and then make a run-time configuration where > it could be turned off? So that only strings passed to the database > are escaped, they are always escaped unless you specifically turn it > off and its use is transparent to the end user? i.e. > > EXPORTED_API_T > database_query(query, ...) > { > if (getconfig->add_slashes) > add_slashes(query); > > db_query(query, ...); > } That's the whole idea behind perpared statements, and you should always use them. For a while PHP didn't even have this kind of API (does it even have that now?), which is quite alarming, but more sensible languages (e.g. Perl, Python, etc) have had them for a long time. For those not familiar, a prepared statement in Python might look like: query = "SELECT * FROM foo WHERE firstname=?" cursor->execute(query, "Joe") Notice how nice it is to have a decent API? No work on your part and no foolish hacks like addslashes() or magic quotes. tim ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
-- PhD Intoto Softwares, Hyderabad, India ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Announcement: The Cross-site Request Forgery FAQ bugtraq (Jan 16)
- Magic Quotes question DokFLeed (Jan 18)
- Re: Magic Quotes question Lynx (Jan 18)
- Re: Magic Quotes question Sir Mordred (Jan 19)
- Re: Magic Quotes question Ronald Chmara (Jan 19)
- Re: Magic Quotes question Justin Ferguson (Jan 19)
- Re: Magic Quotes question Tim (Jan 22)
- Re: Magic Quotes question Sanjay R (Jan 22)
- Wikto and googling Nicolás F . Iglesias (Jan 22)
- Re: Wikto and googling Adviser (Jan 23)
- Re: Wikto and googling Sels, Roger (Jan 23)
- RE: Wikto and googling Michael Starr (Jan 23)
- Re: Wikto and googling David Jacoby (Jan 23)
- RE: Wikto and googling Steve Armstrong (Jan 23)
- RE: Wikto and googling Ezequiel Sallis (Jan 23)
- Magic Quotes question DokFLeed (Jan 18)
- Re: Magic Quotes question DokFLeed (Jan 22)
- Re: Magic Quotes question Tim (Jan 22)