Hi, 
Guest
Pic
Sign In

websecurity@lists.webappsec.org

The Web Security Mailing List

View all threads

SQL Injection with PHP's Magic Quotes

DA
David Alan Hjelle
Wed, Feb 27, 2013 2:34 PM

This page [1] seems to indicate that using magic_quotes_gpc can be “somewhat secure” as long as one does not use the GBK character set and as long as the query parameters are properly quoted.

Does anyone know of an exploit that can SQL inject despite the presence of magic_quotes_gpc and properly quoted queries?

P.S. I’m well aware that best practice is to use prepared queries and to turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an exploit if possible. ;-)

[1] http://www.hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc

David Alan Hjelle
1 Corinthians 2:2
http://thehjellejar.com/

Check out Rita’s spoons.

This page [1] seems to indicate that using magic_quotes_gpc can be “somewhat secure” as long as one does not use the GBK character set and as long as the query parameters are properly quoted. Does anyone know of an exploit that can SQL inject despite the presence of magic_quotes_gpc and properly quoted queries? P.S. I’m well aware that best practice is to use prepared queries and to turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an exploit if possible. ;-) [1] http://www.hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc David Alan Hjelle 1 Corinthians 2:2 http://thehjellejar.com/ Check out Rita’s spoons.
B
BlackHawk
Wed, Feb 27, 2013 4:07 PM

if the app uses any kind of *_decode function mq is bypassed..

an example, just one of the dozen you can find:
http://packetstormsecurity.com/files/57008/revokebb-sql.txt.html

On Wed, Feb 27, 2013 at 3:34 PM, David Alan Hjelle
dahjelle+webappsec.org@thehjellejar.com wrote:

This page [1] seems to indicate that using magic_quotes_gpc can be “somewhat
secure” as long as one does not use the GBK character set and as long as the
query parameters are properly quoted.

Does anyone know of an exploit that can SQL inject despite the presence of
magic_quotes_gpc and properly quoted queries?

P.S. I’m well aware that best practice is to use prepared queries and to
turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an
exploit if possible. ;-)

[1]
http://www.hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc

David Alan Hjelle
1 Corinthians 2:2
http://thehjellejar.com/

Check out Rita’s spoons.

The Web Security Mailing List

WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss

Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA

WASC on Twitter
http://twitter.com/wascupdates

websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

--
BlackHawk - hawkgotyou@gmail.com

Experientia senum agilitas iuvenum.
Adversa fortiter. Dubia prudenter

if the app uses any kind of *_decode function mq is bypassed.. an example, just one of the dozen you can find: http://packetstormsecurity.com/files/57008/revokebb-sql.txt.html On Wed, Feb 27, 2013 at 3:34 PM, David Alan Hjelle <dahjelle+webappsec.org@thehjellejar.com> wrote: > This page [1] seems to indicate that using magic_quotes_gpc can be “somewhat > secure” as long as one does not use the GBK character set and as long as the > query parameters are properly quoted. > > Does anyone know of an exploit that can SQL inject despite the presence of > magic_quotes_gpc and properly quoted queries? > > P.S. I’m well aware that best practice is to use prepared queries and to > turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an > exploit if possible. ;-) > > [1] > http://www.hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc > > > David Alan Hjelle > 1 Corinthians 2:2 > http://thehjellejar.com/ > > Check out Rita’s spoons. > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > -- BlackHawk - hawkgotyou@gmail.com Experientia senum agilitas iuvenum. Adversa fortiter. Dubia prudenter
Empathy v1.0   2024 ©Harmonylists.com