Re: sql injection and php

[Lincoln Yeoh <lyeoh () pop jaring my>]

At 11:56 PM 5/28/02 +0000, Jacek Lach wrote:
> Hi,
>
> I hope the list is right :-)

You might get more help from the webappsec list.

> Does the magic_quotes in php's configuration resolves the problem of sql
> injection? Is this technique still a risk when the option is enabled?
> Most documentation I found was presenting ASP examples, but simple entering '
> character doesn't work when this option is enabled (which is set in default
> configuration).
> Thanks for any answers and/or references on the subject.

AFAIK magic_quotes is a bad[1] idea and design.

It is a bad idea to combine input filtering with output filtering.

You risk ending up with corrupted and inappropriately filtered data.

For example if your app ever submits quoted data to itself (or other 
applications that don't require quoting) you end up misquoting. You start 
seeing stuff like \' in all the wrong places.

Filters should be kept separate where possible. The various inputs to your 
app should be filtered so your app can cope, output to browsers should be 
filtered accordingly, output to different databases should be filtered 
accordingly and so on.

If you find a program using magic_quotes, it's likely to have bad problems 
elsewhere. If the programmer forgets to put certain variables between 
single quotes, magic_quotes won't protect them.

Cheerio,
Link.

[1] I'm strongly tempted to use much harsher words, thus this footnote ;).