Vulnerability Development mailing list archives
Re: sql injection and php
From: Lincoln Yeoh <lyeoh () pop jaring my>
Date: Thu, 30 May 2002 04:25:19 +0800
At 11:56 PM 5/28/02 +0000, Jacek Lach wrote:
Hi, I hope the list is right :-)
You might get more help from the webappsec list.
Does the magic_quotes in php's configuration resolves the problem of sql injection? Is this technique still a risk when the option is enabled? Most documentation I found was presenting ASP examples, but simple entering ' character doesn't work when this option is enabled (which is set in default configuration). Thanks for any answers and/or references on the subject.
AFAIK magic_quotes is a bad[1] idea and design. It is a bad idea to combine input filtering with output filtering. You risk ending up with corrupted and inappropriately filtered data.For example if your app ever submits quoted data to itself (or other applications that don't require quoting) you end up misquoting. You start seeing stuff like \' in all the wrong places.
Filters should be kept separate where possible. The various inputs to your app should be filtered so your app can cope, output to browsers should be filtered accordingly, output to different databases should be filtered accordingly and so on.
If you find a program using magic_quotes, it's likely to have bad problems elsewhere. If the programmer forgets to put certain variables between single quotes, magic_quotes won't protect them.
Cheerio, Link. [1] I'm strongly tempted to use much harsher words, thus this footnote ;).
Current thread:
- sql injection and php Jacek Lach (May 28)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Greg Hunt (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Greg Hunt (May 29)
- Re: sql injection and php Florian Weimer (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Jacek Lach (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)
- Re: sql injection and php Lincoln Yeoh (May 29)
- Re: sql injection and php Sverre H. Huseby (May 29)