Re: Magic Quotes

[Brad Lhotsky <lhotskyb () mail nih gov>]

It's bad programming practice to use the code you've demonstrated in
production, with or without magic quotes.  PHP suffers from too many bad
tutorials.  Much like Perl, the fact that it's easy to use from the
beginning means there's a ton of bad code.  The signal to noise ratio
with PHP, even large php projects, is terribly low.

Hopefully php6 will include lexical scopes regardless of the enclosing
block.

Don't write code like that.  Use variable bindings, provided by MySQL
Improved (http://www.php.net/manual/en/ref.mysqli.php).  PHP is shaping
the language in response to growing and much validated security
concerns.  It's not the language's job to protect the server as you so
eloquently stated.  Any good programming language should allow for the
programmer to completely annihilate the server in exotic and creative ways.

It's the job of the programmer and system administrator to protect the
server.  If you or your colleagues are writing code like your example,
it might be wise to invest in Web Application Security training.  At the
very least, have your sysadmin compile Hardened-PHP and run through
apache with mod_security enabled and locked down.

DokFLeed wrote:
> such a simple SQL like
> "SELECT * from USERS WHERE id =$id";
> can lead to a total hack of the SERVER not just the web application.
> so far the only thing keeping it from happening is the magic quotes,
> so even with a dumb programmer, the server is safe coz of magic quotes,
> why is it going to be removed in php6 !!!!
> if you can insert your own PHP code into the database then
> run a select to  dump the info to a file on the server using INTO
> OUTFILE '/home/z.php'
> as you can see the problem right now is the ' in the OUTFILE syntax, and
> it is magic quotes that is taking care of the server :)
>
> bottom line magic quotes rulez
>
> Dok
>
> ----- Original Message ----- From: "Steve Slater"
> <slater () handsonsecurity com>
> To: "DokFLeed" <dokfleed () dokfleed net>; <webappsec () securityfocus com>
> Sent: Wednesday, October 11, 2006 3:11 AM
> Subject: Re: Magic Quotes
>
>
>
>
> -------------------------------------------------------------------------
> Sponsored by: Watchfire
>
> Watchfire's AppScan is the industry's first and leading web application
> security testing suite, and the only solution to provide comprehensive
> remediation tasks at every level of the application. See for yourself.
> Download a Free Trial of AppScan today!
>
> https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
> --------------------------------------------------------------------------

-- 
Brad Lhotsky <lhotskyb () grc nia nih gov>
NCTS Computer Specialist
Phone: 410.558.8006
"Freedom, Privacy, Security.  Choose Two."

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. Download a 
free trial of AppScan today and see why more customers choose AppScan 
then any other solution.

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO
--------------------------------------------------------------------------