WebApp Sec mailing list archives
Re: Magic Quotes
From: Brad Lhotsky <lhotskyb () mail nih gov>
Date: Mon, 16 Oct 2006 17:29:12 -0400
It's bad programming practice to use the code you've demonstrated in production, with or without magic quotes. PHP suffers from too many bad tutorials. Much like Perl, the fact that it's easy to use from the beginning means there's a ton of bad code. The signal to noise ratio with PHP, even large php projects, is terribly low. Hopefully php6 will include lexical scopes regardless of the enclosing block. Don't write code like that. Use variable bindings, provided by MySQL Improved (http://www.php.net/manual/en/ref.mysqli.php). PHP is shaping the language in response to growing and much validated security concerns. It's not the language's job to protect the server as you so eloquently stated. Any good programming language should allow for the programmer to completely annihilate the server in exotic and creative ways. It's the job of the programmer and system administrator to protect the server. If you or your colleagues are writing code like your example, it might be wise to invest in Web Application Security training. At the very least, have your sysadmin compile Hardened-PHP and run through apache with mod_security enabled and locked down. DokFLeed wrote:
such a simple SQL like "SELECT * from USERS WHERE id =$id"; can lead to a total hack of the SERVER not just the web application. so far the only thing keeping it from happening is the magic quotes, so even with a dumb programmer, the server is safe coz of magic quotes, why is it going to be removed in php6 !!!! if you can insert your own PHP code into the database then run a select to dump the info to a file on the server using INTO OUTFILE '/home/z.php' as you can see the problem right now is the ' in the OUTFILE syntax, and it is magic quotes that is taking care of the server :) bottom line magic quotes rulez Dok ----- Original Message ----- From: "Steve Slater" <slater () handsonsecurity com> To: "DokFLeed" <dokfleed () dokfleed net>; <webappsec () securityfocus com> Sent: Wednesday, October 11, 2006 3:11 AM Subject: Re: Magic Quotes ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ --------------------------------------------------------------------------
-- Brad Lhotsky <lhotskyb () grc nia nih gov> NCTS Computer Specialist Phone: 410.558.8006 "Freedom, Privacy, Security. Choose Two." ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution. https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO --------------------------------------------------------------------------
Current thread:
- Google code search Stephen de Vries (Oct 04)
- Re: Google code search Zapotek (Oct 05)
- Re: Google code search Ryan Barnett (Oct 05)
- Magic Quotes DokFLeed (Oct 09)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 10)
- Message not available
- Re: Magic Quotes Tomek Perlak (Oct 10)
- RE: Magic Quotes Matt Fisher (Oct 11)
- Re: Magic Quotes Steve Slater (Oct 11)
- Re: Magic Quotes DokFLeed (Oct 15)
- Re: Magic Quotes Brad Lhotsky (Oct 16)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 17)
- Re: Magic Quotes Brad Lhotsky (Oct 17)
- Re: Magic Quotes DokFLeed (Oct 17)