Re: Magic Quotes

[Steve Slater <slater () handsonsecurity com>]

At 04:00 AM 10/06/06, DokFLeed wrote:

> if there is noway around Magic Quotes, then why is every developer 
> against it ?
> Dok

You can often get around it, depending upon the app and the query.
Here is one that works...or at least did work at the time. It's pretty old:

http://packetstormsecurity.nl/0311-exploits/phpBB206.txt

What if your query uses a numeric query value? Then there is
no quote needed to perform an injection. For example:

SELECT * from db.table where column = 1100

What if I change 1100 to: -9999 union select * from whatever.whatever

(No quotes needed here...)

Just give your team an example of how prepared statements work
and it won't take more than an extra minute to copy it for each new DB
query. Then you don't have to worry about it.

Steve



==================================================

Steve Slater
President

Security Compliance Corporation
120 Village Square, Suite 76
Orinda, CA 94563
(866) 657-4550

http://www.securitycompliancecorp.com
slater () securitycompliancecorp com 



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------