WebApp Sec mailing list archives
Security of magic_quotes_gpc under PHP against SQL injection
From: Todd Hendricks <djtrubeliever () comcast net>
Date: Sun, 11 Dec 2005 00:55:38 -0600
I'm very curious as to what level of protection magic quotes provides against SQL injection attacks (for MySQL, specifically) under PHP. I have a rather lengthy app that relies upon magic_quotes_gpc to sanitize database input, and information that goes straight back to the presentation layer from a form is then stripslash'ed. My question is, what are some ways around magic_quotes that I need to watch out for.. and as a followup, if it's such a bad security idea, why was it included at all much less enabled by default (this seems to smack of the register_globals problem, only to a lesser extent)? I do understand that it would be a good idea to redo the entire app using mysql_real_escape, but in this single-developer environment, I'd like to avoid doing a massive revamp unless it's of penultimate importance to do so, because that cuts in to feature/usability development time. Regards, - Todd
Current thread:
- Security of magic_quotes_gpc under PHP against SQL injection Todd Hendricks (Dec 10)
- Re: Security of magic_quotes_gpc under PHP against SQL injection Steve Slater (Dec 11)
- Re: Security of magic_quotes_gpc under PHP against SQL injection Peter Conrad (Dec 12)
- Re: Security of magic_quotes_gpc under PHP against SQL injection ascii (Dec 12)
- Re: Security of magic_quotes_gpc under PHP against SQL injection Stefano Di Paola (Dec 18)
- Re: Security of magic_quotes_gpc under PHP against SQL injection ascii (Dec 12)