WebApp Sec mailing list archives
Re: Security of magic_quotes_gpc under PHP against SQL injection
From: Peter Conrad <conrad () tivano de>
Date: Mon, 12 Dec 2005 10:58:20 +0100
Hi, Am Sonntag, 11. Dezember 2005 07:55 schrieb Todd Hendricks:
My question is, what are some ways around magic_quotes that I need to watch out for..
as always, it depends on how you use it. E. g. it's mostly useless if your statements look like ... SELECT whatever FROM whereever WHERE id = $input ... Also, some databases don't consider the backslash an escape character. And I've seen cases where some kind of (incomplete) double-escaping was done, cancelling out the effect of magic_quotes. (I. e. ' was turned into \\'.)
and as a followup, if it's such a bad security idea, why was it included at all much less enabled by default (this seems to smack of the register_globals problem, only to a lesser extent)?
Like most of PHP's "security features" is was introduced as a workaround for stupid developers who don't know or care about security. Like most of PHP's "security features", it works some of the time but in the end fails to be a complete solution to the underlying problem, i. e. developer incompetence. It's a bad security idea because it gives developers a warm, fuzzy feeling instead of encouraging them to *learn* secure programming. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 http://www.tivano.de/ 63263 Neu-Isenburg Germany
Current thread:
- Security of magic_quotes_gpc under PHP against SQL injection Todd Hendricks (Dec 10)
- Re: Security of magic_quotes_gpc under PHP against SQL injection Steve Slater (Dec 11)
- Re: Security of magic_quotes_gpc under PHP against SQL injection Peter Conrad (Dec 12)
- Re: Security of magic_quotes_gpc under PHP against SQL injection ascii (Dec 12)
- Re: Security of magic_quotes_gpc under PHP against SQL injection Stefano Di Paola (Dec 18)
- Re: Security of magic_quotes_gpc under PHP against SQL injection ascii (Dec 12)