WebApp Sec mailing list archives
Re: Magic Quotes
From: "DokFLeed" <dokfleed () dokfleed net>
Date: Tue, 10 Oct 2006 12:39:50 +0400
but that is in GBK and only against add slashes.if magic quotes is on, and you do not add any other means of filtering, it works fine. and you are protected, however you can still inject normal SQL ( , ; CHAR( , etc...) it looks like as long as the developer expresses their variables as '$x' instead of $x they are safe.
Dok----- Original Message ----- From: "Chris Shiflett" <chris () shiflett org>
To: "DokFLeed" <dokfleed () dokfleed net> Cc: <webappsec () securityfocus com> Sent: Tuesday, October 10, 2006 5:39 AM Subject: Re: Magic Quotes
DokFLeed wrote:I am researching in bypassing Magic Quotes enforced by PHPYou might be interested in this post: http://shiflett.org/archive/184 Magic quotes isn't an ideal approach, because it escapes input (in a generic and incomplete way) for one particular purpose. This complicates input filtering (having to account for extra characters), provides a false sense of security, pushes responsibility to the configuration of the environment, can't be relied upon (requires every PHP developer to write inelegant code to deal with the lack of predictability), etc. It is also being removed. Chris
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz --------------------------------------------------------------------------
Current thread:
- Google code search Stephen de Vries (Oct 04)
- Re: Google code search Zapotek (Oct 05)
- Re: Google code search Ryan Barnett (Oct 05)
- Magic Quotes DokFLeed (Oct 09)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 10)
- Message not available
- Re: Magic Quotes Tomek Perlak (Oct 10)
- RE: Magic Quotes Matt Fisher (Oct 11)
- Re: Magic Quotes Steve Slater (Oct 11)
- Re: Magic Quotes DokFLeed (Oct 15)
- Re: Magic Quotes Brad Lhotsky (Oct 16)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 17)
- Re: Magic Quotes Brad Lhotsky (Oct 17)
- Re: Magic Quotes DokFLeed (Oct 17)