Re: Security of magic_quotes_gpc under PHP against SQL injection

[Peter Conrad <conrad () tivano de>]

Hi,

Am Sonntag, 11. Dezember 2005 07:55 schrieb Todd Hendricks:
> My question is, what are some ways around magic_quotes that I need to watch
> out for..

as always, it depends on how you use it. E. g. it's mostly useless if your
statements look like

... SELECT whatever FROM whereever WHERE id = $input ...

Also, some databases don't consider the backslash an escape character.
And I've seen cases where some kind of (incomplete) double-escaping was
done, cancelling out the effect of magic_quotes. (I. e. ' was turned 
into \\'.)

> and as a followup, if it's such a bad security idea, why was it 
> included at all much less enabled by default (this seems to smack of the
> register_globals problem, only to a lesser extent)?

Like most of PHP's "security features" is was introduced as a workaround
for stupid developers who don't know or care about security. Like most of
PHP's "security features", it works some of the time but in the end
fails to be a complete solution to the underlying problem, i. e. developer
incompetence. It's a bad security idea because it gives developers a
warm, fuzzy feeling instead of encouraging them to *learn* secure
programming.

Bye,
        Peter
-- 
Peter Conrad                        Tel: +49 6102 / 80 99 072
[ t]ivano Software GmbH             Fax: +49 6102 / 80 99 071
Bahnhofstr. 18                      http://www.tivano.de/
63263 Neu-Isenburg

Germany