[WEB SECURITY] SQL Injection with PHP's Magic Quotes

BlackHawk hawkgotyou at gmail.com
Wed Feb 27 11:07:25 EST 2013


if the app uses any kind of *_decode function mq is bypassed..

an example, just one of the dozen you can find:
http://packetstormsecurity.com/files/57008/revokebb-sql.txt.html

On Wed, Feb 27, 2013 at 3:34 PM, David Alan Hjelle
<dahjelle+webappsec.org at thehjellejar.com> wrote:
> This page [1] seems to indicate that using magic_quotes_gpc can be “somewhat
> secure” as long as one does not use the GBK character set and as long as the
> query parameters are properly quoted.
>
> Does anyone know of an exploit that can SQL inject despite the presence of
> magic_quotes_gpc and properly quoted queries?
>
> P.S. I’m well aware that best practice is to use prepared queries and to
> turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an
> exploit if possible. ;-)
>
> [1]
> http://www.hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc
>
>
> David Alan Hjelle
> 1 Corinthians 2:2
> http://thehjellejar.com/
>
> Check out Rita’s spoons.
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>



--
BlackHawk - hawkgotyou at gmail.com

Experientia senum agilitas iuvenum.
Adversa fortiter. Dubia prudenter




More information about the websecurity mailing list