[WEB SECURITY] SQL Injection with PHP's Magic Quotes
hawkgotyou at gmail.com
Wed Feb 27 11:07:25 EST 2013
if the app uses any kind of *_decode function mq is bypassed..
an example, just one of the dozen you can find:
On Wed, Feb 27, 2013 at 3:34 PM, David Alan Hjelle
<dahjelle+webappsec.org at thehjellejar.com> wrote:
> This page  seems to indicate that using magic_quotes_gpc can be “somewhat
> secure” as long as one does not use the GBK character set and as long as the
> query parameters are properly quoted.
> Does anyone know of an exploit that can SQL inject despite the presence of
> magic_quotes_gpc and properly quoted queries?
> P.S. I’m well aware that best practice is to use prepared queries and to
> turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an
> exploit if possible. ;-)
> David Alan Hjelle
> 1 Corinthians 2:2
> Check out Rita’s spoons.
> The Web Security Mailing List
> WebSecurity RSS Feed
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> websecurity at lists.webappsec.org
BlackHawk - hawkgotyou at gmail.com
Experientia senum agilitas iuvenum.
Adversa fortiter. Dubia prudenter
More information about the websecurity