Re: Magic Quotes question

From: Tim <tim-pentest@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 20 Jan 2007 10:05:32 -0500

Why wouldnt you just put the escape function inside of the database
query et al API function and then make a run-time configuration where
it could be turned off? So that only strings passed to the database
are escaped, they are always escaped unless you specifically turn it
off and its use is transparent to the end user? i.e.

EXPORTED_API_T
database_query(query, ...)
{
if (getconfig->add_slashes)
add_slashes(query);

db_query(query, ...);
}

That's the whole idea behind perpared statements, and you should always
use them. For a while PHP didn't even have this kind of API (does it
even have that now?), which is quite alarming, but more sensible
languages (e.g. Perl, Python, etc) have had them for a long time.

For those not familiar, a prepared statement in Python might look like:

query = "SELECT * FROM foo WHERE firstname=?"
cursor->execute(query, "Joe")

Notice how nice it is to have a decent API? No work on your part and no
foolish hacks like addslashes() or magic quotes.

tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Follow-Ups:
- Wikto and googling
  - From: Nicolás F . Iglesias
- Re: Magic Quotes question
  - From: Sanjay R

References:
- Announcement: The Cross-site Request Forgery FAQ
  - From: bugtraq
- Magic Quotes question
  - From: DokFLeed
- Re: Magic Quotes question
  - From: Ronald Chmara
- Re: Magic Quotes question
  - From: Justin Ferguson

Prev by Date: Re: Magic Quotes question
Next by Date: Re: Apache Concurrent Users
Previous by thread: Re: Magic Quotes question
Next by thread: Re: Magic Quotes question
Index(es):
- Date
- Thread

Relevant Pages

Re: Accessors in Python (getters and setters)
... used it in 27000 lines of Python code (which certainly took some time to ... Naming attributes and naming methods are entirely different ... operator only to callables, but this doesn't make such a difference ... But it's *your* responsability to choose good names for the API.> ...
(comp.lang.python)
Re: zlib interface semi-broken
... implement one-shot de/compression of strings. ... functions that do one-shot compression and decompression. ... That file interface could form a third API, ... conform to what python expects of files. ...
(comp.lang.python)
Re: Accessors in Python (getters and setters)
... used it in 27000 lines of Python code (which certainly took some time to ... develops might misinterpret exactly what "tmp" does. ... Failing to understand a language semantics ... But it's *your* responsability to choose good names for the API.> ...
(comp.lang.python)
Re: Whats so funny? WAS Re: rotor replacement
... I don't disagree about the API. ... AES module (or rather, a generic block cipher module with AES and DES) ... if I want ECC in a Python ...
(comp.lang.python)
Re: OpenGL
... It was originally written in pure Python C-extension code, then Tarn rewrote it using SWIG a few years ago. ... OpenGL-ctypes is in the PyOpenGL CVS repository, it's a ctypes re-re-implementation of the same Python API to OpenGL. ... Basically any array type can be registered with handlers that let you tell the system how to do basic operations; get an array's size, shape, data-type, convert to a given data-format, build an "empty" array of a given size, that kind of thing. ...
(comp.lang.python)