Security Basics mailing list archives
AW: magic_quotes
From: "Michael Kluge" <michael.kluge () wundermedia de>
Date: Mon, 20 Jun 2005 17:31:22 +0200
Hello! This is very unsafe! Imagine this case: $DATA->id is "' OR (any_where_clause) OR id='" So your SQL-Statement will be: SELECT * FROM whatever WHERE id = '' OR (any_where_clause) OR id='' So anybody can manipulate your SQL-Statment to return unwanted rows from your table. This is an SQL injection vulnarability. Better use something like mysql_escape_string(). See: http://www.php.net/manual/en/function.mysql-escape-string.php Regards, Michael.
Hi everybody I been coding for the last couple of days with PHP+MySQL and I've been relaying A LOT in magic_quotes. I am wondering if it's (at least for the moment) a safe thing to do. For example, consider the following code $GDATA = (object) $_GET; $PDATA = (object) $_POST; if ($GDATA) $DATA = $GDATA; else $DATA = $PDATA; $q = mysql_query ("SELECT * FROM whatever WHERE id = '$DATA->id'"); How safe is this? I would appreciate hints & thoughts (TM) Thanks, Pablo Fernandez
Current thread:
- AW: magic_quotes Michael Kluge (Jun 20)
- Re: AW: magic_quotes Pablo Fernández (Jun 20)