Re: sql injection and php
From: Lincoln Yeoh (lyeoh@pop.jaring.my)Date: 05/29/02
- Previous message: Sverre H. Huseby: "Re: sql injection and php"
- In reply to: Jacek Lach: "sql injection and php"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 May 2002 04:25:19 +0800 To: Jacek Lach <jlach@utopia.pl.eu.org>, vuln-dev@securityfocus.com From: Lincoln Yeoh <lyeoh@pop.jaring.my>
At 11:56 PM 5/28/02 +0000, Jacek Lach wrote:
>Hi,
>
>I hope the list is right :-)
You might get more help from the webappsec list.
>Does the magic_quotes in php's configuration resolves the problem of sql
>injection? Is this technique still a risk when the option is enabled?
>Most documentation I found was presenting ASP examples, but simple entering '
>character doesn't work when this option is enabled (which is set in default
>configuration).
>Thanks for any answers and/or references on the subject.
AFAIK magic_quotes is a bad[1] idea and design.
It is a bad idea to combine input filtering with output filtering.
You risk ending up with corrupted and inappropriately filtered data.
For example if your app ever submits quoted data to itself (or other
applications that don't require quoting) you end up misquoting. You start
seeing stuff like \' in all the wrong places.
Filters should be kept separate where possible. The various inputs to your
app should be filtered so your app can cope, output to browsers should be
filtered accordingly, output to different databases should be filtered
accordingly and so on.
If you find a program using magic_quotes, it's likely to have bad problems
elsewhere. If the programmer forgets to put certain variables between
single quotes, magic_quotes won't protect them.
Cheerio,
Link.
[1] I'm strongly tempted to use much harsher words, thus this footnote ;).
- Previous message: Sverre H. Huseby: "Re: sql injection and php"
- In reply to: Jacek Lach: "sql injection and php"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
