[WEB SECURITY] magic_quotes

Daniel deeper at gmail.com
Tue Jun 21 19:35:09 EDT 2005


I'll play devils advocate here...

Matt you mention input validation, but i have to admit, there isnt
much material on the web today which takes into account
mysql/postgres.

Maybe SPIDynamics would like to put out a mini paper on doing input
validation on non SQL/Oracle DB's?



On 6/22/05, Matt Fisher <mfisher at spidynamics.com> wrote:
> After Santy, this is actually part of my standard preso .... Magic quotes is a *functional thing*, not a *security thing*.  Do some digging on the web and you'll find an interview with Rasmus stating he built it to downsize support questions.
> 
> Santy ripped right through PHPBoard even with Magic Quotes because the code did a secondary URLDecode in the PHP itself.  So the worm simply double-encoded; Magic Quotes decoded it once, looked at it, said "it's not a single quote" and let it through.  Then the PHP app itself decoded it into the single quote.
> 
> The lesson ? Never rely on anything magical, flashing, spinning, or on flames.   Take the time and do the input validation.  It doesn't have to be a huge amount of work either; you can make just one or two functions that perform some general-purpose validation versus doing everything inline.
> 
> 
> Pablo Fernández wrote:
> >
> > >The only problem I have with manually checking each inputted
> > variable
> > >is that after coding for 10 hours straight there's a pretty
> > good chance
> > >you might forget a check, I think that's an important
> > security breach,
> > >and that's what I like the most of magic_quotes.
> > >
> > >The PHP manual says that SQL injection is possible even with
> > >magic_quotes on. Do you know of any case? (Besides really bad coded
> > >LIMITs)
> > >
> > >Best regards,
> > >Pablo Fernández
> > >
> > >
> > >
> >
> >
> > ---------------------------------------------------------------------
> > The Web Security Mailing List
> > http://www.webappsec.org/lists/websecurity/
> >
> > The Web Security Mailing List Archives
> > http://www.webappsec.org/lists/websecurity/archive/
> >
> >
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
>

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/



More information about the websecurity mailing list