Bugtraq mailing list archives
Re: TWIG SQL query bugs
From: Gunther Birznieks <gunther () extropia com>
Date: Sat, 02 Jun 2001 19:37:53 +0800
At 09:48 AM 5/31/2001 -0700, kj wrote:
> PHP used to have an option to automatically use addslashes() on any variable> passed to it via POST or GET. Please see your PHP.INI file and set the > appropriate setting for "magic_quotes_gpc" Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL statements to dbs I think you need to initialize magic_quotes_runtime for the addslashes() default.
The problem with magic_quotes_gpc is that it is a global variable in PHP. Many sysadmins turn it off because they may be using a program that requires them not to be escaped. At least I understand this from a talk on advanced PHP techniques someone gave at ApacheCon a few months ago.
Unfortunately, I don't think magic_quotes_runtime is on by default if it does what you say. The manual says it affects DB routines that return data which implies it affects data returned, it doesn't mention anything about the DB routines that only accept input parameters and never return anything.
Maybe someone with more PHP experience and a handy PHP engine could verify this.
Many of the books that I have seen on PHP *assume* when they teach programmers that magic_quotes_gpc is ON in their security model because this is how PHP is set up by default.
Unfortunately, this is not the truth and I can only imagine that there must be many PHP scripts out there that also follow this assumption -- because the people who write the code are probably reading these books and learning to code that way.
K.J.
__________________________________________________ Gunther Birznieks (gunther.birznieks () eXtropia com) eXtropia - The Open Web Technology Company http://www.eXtropia.com/
Current thread:
- RE: TWIG SQL query bugs Jeff Dafoe (May 31)
- <Possible follow-ups>
- Re: TWIG SQL query bugs Steve Stavropoulos (Jun 01)
- Re: TWIG SQL query bugs kj (Jun 01)
- Re: TWIG SQL query bugs Gunther Birznieks (Jun 05)
- Re: TWIG SQL query bugs kj (Jun 05)
- Re: TWIG SQL query bugs Ben Gollmer (Jun 05)
- Re: TWIG SQL query bugs Gunther Birznieks (Jun 05)