Re: [Full-disclosure] SQL Injeciton.

From: Gabbar Sing (
Date: 08/20/05

  • Next message: "Re: [Full-disclosure] FrSIRT False Alarm"
    Date: Sat, 20 Aug 2005 01:42:36 -0400
    To: (Jeremy Bishop),

    Thanks I would definitely check on magic_quotes, but the fact is it escapes those characters, so theres no way...its succeptable to sql injection. and ofcourse i am asking this question here means the develper has not done any kind of sanitization checking. So, if SLQ injection is no possible even below given XXS wont be the case i guess,

    '><script>alert('ur hacked')</script>



    Jeremy Bishop <> wrote:

    >On Friday 19 August 2005 20:20, Gabbar Sing wrote:
    >> Hi,
    >> We have an internal web application written in PHP, in which the
    >> developer has got following line.
    >> At first sight I though its very much vulnerible to SQL Injection,
    >> but I am not just able to demonstrate it. As when i send the
    >> character " ' " it just escapes it before sending query to db as " '
    >> " thus failing my injection.
    >PHP has a feature known as magic quotes that can provide automatic
    >escaping of quotes in user-submitted data. I believe the configuration
    >variables to look at are "magic_quotes_gpc" and "magic_quotes_sybase",
    >or some variation on those; the documentation should be more revealing.
    >The developer may also have manually sanitized the data; I assume you
    >have checked for that already? The ideal means of handling input would
    >be to have the code check whether magic quotes are enabled and to take
    >appropriate action based on the result of that check.
    >My group's mission statement - 'You want *what* ? By *WHEN* ?'
    > -- Simon Burr
    >Full-Disclosure - We believe in it.
    >Hosted and sponsored by Secunia -

    Switch to Netscape Internet Service.
    As low as $9.95 a month -- Sign up today at

    Netscape. Just the Net You Need.

    New! Netscape Toolbar for Internet Explorer
    Search from anywhere on the Web and block those annoying pop-ups.
    Download now at
    Full-Disclosure - We believe in it.
    Hosted and sponsored by Secunia -

  • Next message: "Re: [Full-disclosure] FrSIRT False Alarm"