This page [1] seems to indicate that using magic_quotes_gpc can be “somewhat secure” as long as one does not use the GBK character set and as long as the query parameters are properly quoted.
Does anyone know of an exploit that can SQL inject despite the presence of magic_quotes_gpc and properly quoted queries?
P.S. I’m well aware that best practice is to use prepared queries and to turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an exploit if possible. ;-)
[1] http://www.hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc
David Alan Hjelle
1 Corinthians 2:2
http://thehjellejar.com/
Check out Rita’s spoons.
if the app uses any kind of *_decode function mq is bypassed..
an example, just one of the dozen you can find:
http://packetstormsecurity.com/files/57008/revokebb-sql.txt.html
On Wed, Feb 27, 2013 at 3:34 PM, David Alan Hjelle
dahjelle+webappsec.org@thehjellejar.com wrote:
This page [1] seems to indicate that using magic_quotes_gpc can be “somewhat
secure” as long as one does not use the GBK character set and as long as the
query parameters are properly quoted.
Does anyone know of an exploit that can SQL inject despite the presence of
magic_quotes_gpc and properly quoted queries?
P.S. I’m well aware that best practice is to use prepared queries and to
turn magic_quotes_gpc off. I’d prefer to back up my recommendation with an
exploit if possible. ;-)
[1]
http://www.hakipedia.com/index.php/SQL_Injection#addslashes.28.29_.26_magic_quotes_gpc
David Alan Hjelle
1 Corinthians 2:2
http://thehjellejar.com/
Check out Rita’s spoons.
The Web Security Mailing List
WebSecurity RSS Feed
http://www.webappsec.org/rss/websecurity.rss
Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
WASC on Twitter
http://twitter.com/wascupdates
websecurity@lists.webappsec.org
http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
--
BlackHawk - hawkgotyou@gmail.com
Experientia senum agilitas iuvenum.
Adversa fortiter. Dubia prudenter