Security Basics mailing list archives
Re: magic_quotes
From: "Tony Stahler" <TStahler () tempographics com>
Date: Tue, 28 Jun 2005 08:39:36 -0500
This situation comes into play when urldecode (or a similar function) is called more than once - a common mistake, especially in PHP bulletin boards. $input_data = '%2527'; $input_data = urldecode($input_data); // causes it to become %27 // we do some other stuff and forget we already decoded it... or maybe we merged new data that wasn't decoded so we decoded the whole thing again - bad idea I know, but it could happen. $input_data = urldecode($input_data); // now we have a variable with one or more single quotes in it - problem if we try to access a database with it, especially if it was given to us maliciously. If you look in the bugtraq archives at phpbb, invision, or vbulletin you'll probably find one or more errors involving urldecode or similar functions. -Tony
mickael kael <mickael.kael () gmail com> 06/25/05 08:35AM >>>
Hello, Sorry to deviate the subject of the thread. I see some code which use %2527 to bypass magic_quotes because %25 correspond to %. I try this technic with this code (this is just a code for testing) code : $sql = "SELECT nom FROM log where id='$id'"; url : test.php?id=999%2527%20UNION%20ALL%20SELECT%20nom%20FROM%20log%20where%20id=1/* result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom FROM log where id=1/*' But it don't work, i think, Mysql not interpret %27. I read on the thread that it is possible to bypass magic_quotes, but i don't find any solution. So if someone say it is possible, it will be interessant to have a poc. Thanks in advance, Mk, On 23 Jun 2005 08:30:59 -0000, maarten () webfauna com <maarten () webfauna com> wrote:
I agree that magic quotes is not a very nice solution. Although it
makes it a little harder to manipulate queries, it will make your code less clear. Some strings in you application are escaped (from POST data) and some are not (e.g. from database.) Sometimes it's not completly clear what the origin of a variable (string) is.
I think it's easier and safer if you can concider all strings to be
unescaped and make sure you escape them in a query.
You need clear and easy to understand code to make your application
secure.
In this case, I'd also use the intval() function. If you want an
integer value, this makes sure it is.
Greets, Maarten
Current thread:
- Re: magic_quotes, (continued)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 22)
- Re: magic_quotes Pablo Fernández (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- Re: magic_quotes Ben Sytko (Jun 20)
- Re: RE: magic_quotes miguel . vieira (Jun 22)
- Re: magic_quotes maarten (Jun 24)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 27)
- Re: magic_quotes mickael kael (Jun 27)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 28)
- Re: magic_quotes Tony Stahler (Jun 28)