Re: Anyone have some basic security tips for PHP-programmers?

[Härnhammar, Ulf <Ulf.Harnhammar.9485 () student uu se>]

Quoting tim () xi co nz:

> From my point of view, magic_quotes is a bad idea, because
> it can't possibly cover every way data can enter your
> script, and it's counterproductive when you want to do other
> things with that data.

I agree.

One more argument against magic quotes is that they provide a false sense of 
security, by not helping against some common cases of SQL Injections: the ones 
where you don't need to use any apostrophes or quotes.

$sql = "DELETE FROM table WHERE id=$id AND permission=7";
$id = "id #";

Now $sql has the value "DELETE FROM table WHERE id=id # AND permission=7". 
Magic quotes won't help against that at all.

Another argument against magic quotes is that they are switched on in php.ini. 
If you are not the system administrator of your web site (common for hobbyists 
or smaller companies), you may not have control over php.ini. Even if you do, 
things can get awkward with different PHP scripts on the same server that 
require different settings. A really good PHP application should therefore work 
equally well no matter the value of php.ini settings like register_globals and 
magic_quotes_gpc.

-- 
Ulf Härnhammar, student, Uppsala universitet

"Jag är en tvivelaktig figur / Duger ej mycket till"
-- Cornelis Vreeswijk, "Somliga går med trasiga skor"

Uggs != Cmectbb