[WEB SECURITY] SQL Injection with PHP's Magic Quotes

David Alan Hjelle dahjelle+webappsec.org at thehjellejar.com
Wed Feb 27 09:34:10 EST 2013

This page [1] seems to indicate that using magic_quotes_gpc can be “somewhat secure” as long as one does not use the GBK character set and as long as the query parameters are properly quoted.

Does anyone know of an exploit that can SQL inject despite the presence of magic_quotes_gpc and properly quoted queries?

P.S. I’m well aware that best practice is to use prepared queries and to turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an exploit if possible. ;-)

[1] http://www.hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc

David Alan Hjelle
1 Corinthians 2:2

Check out Rita’s spoons.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/attachments/20130227/1eda2495/attachment-0003.html>

More information about the websecurity mailing list