Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Magic Quotes question

From: Tim <tim-pentest () sentinelchicken org>
Date: Sat, 20 Jan 2007 10:05:32 -0500
Why wouldnt you just put the escape function inside of the database
query et al API function and then make a run-time configuration where
it could be turned off? So that only strings passed to the database
are escaped, they are always escaped unless you specifically turn it
off and its use is transparent to the end user? i.e.

EXPORTED_API_T
database_query(query, ...)
{
       if (getconfig->add_slashes)
               add_slashes(query);

      db_query(query, ...);
}



That's the whole idea behind perpared statements, and you should always
use them.  For a while PHP didn't even have this kind of API (does it
even have that now?), which is quite alarming, but more sensible
languages (e.g. Perl, Python, etc) have had them for a long time.

For those not familiar, a prepared statement in Python might look like:

 query = "SELECT * FROM foo WHERE firstname=?"
 cursor->execute(query, "Joe")


Notice how nice it is to have a decent API?  No work on your part and no
foolish hacks like addslashes() or magic quotes.

tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: