[WEB SECURITY] magic_quotes

Dave King davefd at davewking.com
Tue Jun 21 18:40:39 EDT 2005


I haven't tested it but i believe you can encode the tick and then it's 
not escaped correctly.  For example I know some web apps you can use 
%2527 to encode a single tick and bypass the check all together.  Also 
depending on how you write the query the quotes are irrelevant.  For 
example the query "SELECT * from table WHERE id = $id" could easily be 
comprimised with magic_quotes on.  If id were "1 or 1 = 1" or possibly 
worse "1; DROP TABLE;" then bad things could happen.   An easy way to 
make sure you don't miss any is to just do all of them.  Read in  each 
variable individually at the top of the page, and sanatize them as is 
appropriate, then always use mysql_real_escape_string(). 

Laters,
Dave King


Pablo Fernández wrote:

>The only problem I have with manually checking each inputted variable is
>that after coding for 10 hours straight there's a pretty good chance you
>might forget a check, I think that's an important security breach, and
>that's what I like the most of magic_quotes.
>
>The PHP manual says that SQL injection is possible even with
>magic_quotes on. Do you know of any case? (Besides really bad coded
>LIMITs)
>
>Best regards,
>Pablo Fernández
>
>  
>


---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list