Security Basics mailing list archives
Re: magic_quotes
From: Christoph 'knurd' Jeschke <christoph.jeschke () gmail com>
Date: Mon, 27 Jun 2005 03:46:25 +0200
maarten () webfauna com wrote:
I agree that magic quotes is not a very nice solution. Although it makes it a little harder to manipulate queries, it will make your code less clear. Some strings in you application are escaped (from POST data) and some are not (e.g. from database.) Sometimes it's not completly clear what the origin of a variable (string) is.
FACK. Additional, magic_quotes are not reliable (some hosters deactivate that) and it could be easily forget, that a application relies on magic_quotes_*. So let Applications not rely on things, which can be easily switched off (e.g. safe_mode, open_basedir, automagic session_start, etc.) - not only for security reasons.
I think it's easier and safer if you can concider all strings to be unescaped and make sure you escape them in a query.
I think, it's most important to check every piece of data, which is not defined in the skript itself (including includes). This leads to be thrifty with data (KISS).
You need clear and easy to understand code to make your application secure.
FACK. KISS is very important in buildung secure applications.
In this case, I'd also use the intval() function. If you want an integer value, this makes sure it is.
Another way ist looking if data is valid (e.g. with reg exp) and handle violations as errors (and handle errors adequate, too). Sometimes, this violations can be esteemed as threat. But it's a case-by-case decition and no general advice. Greetings, Chris
Current thread:
- magic_quotes Pablo Fernández (Jun 20)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 22)
- Re: magic_quotes Pablo Fernández (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Ben Sytko (Jun 20)
- <Possible follow-ups>
- Re: RE: magic_quotes miguel . vieira (Jun 22)
- Re: magic_quotes maarten (Jun 24)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 27)
- Re: magic_quotes mickael kael (Jun 27)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 28)
- Re: magic_quotes Tony Stahler (Jun 28)