[WEB SECURITY] magic_quotes

Matt Fisher mfisher at spidynamics.com
Tue Jun 21 19:16:18 EDT 2005


After Santy, this is actually part of my standard preso .... Magic quotes is a *functional thing*, not a *security thing*.  Do some digging on the web and you'll find an interview with Rasmus stating he built it to downsize support questions. 

Santy ripped right through PHPBoard even with Magic Quotes because the code did a secondary URLDecode in the PHP itself.  So the worm simply double-encoded; Magic Quotes decoded it once, looked at it, said "it's not a single quote" and let it through.  Then the PHP app itself decoded it into the single quote.  

The lesson ? Never rely on anything magical, flashing, spinning, or on flames.   Take the time and do the input validation.  It doesn't have to be a huge amount of work either; you can make just one or two functions that perform some general-purpose validation versus doing everything inline.  


Pablo Fernández wrote:
> 
> >The only problem I have with manually checking each inputted 
> variable 
> >is that after coding for 10 hours straight there's a pretty 
> good chance 
> >you might forget a check, I think that's an important 
> security breach, 
> >and that's what I like the most of magic_quotes.
> >
> >The PHP manual says that SQL injection is possible even with 
> >magic_quotes on. Do you know of any case? (Besides really bad coded
> >LIMITs)
> >
> >Best regards,
> >Pablo Fernández
> >
> >  
> >
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list