[Jacek Lach] | Does the magic_quotes in php's configuration resolves the problem of sql | injection? No. | Is this technique still a risk when the option is enabled? Yes. | Most documentation I found was presenting ASP examples, but simple | entering ' character doesn't work when this option is enabled | (which is set in default configuration). You can do much damage without using the quote character: http://example.com/show.php?id=3;+DELETE+FROM+Customer Make the server work: Imagine a database with millions of entries, from which one normally only see one at a time: http://example.com/show.php?id=3+OR+TRUE And I guess there is much more that can be done by creative intruders. As always. Sverre. -- shhat_private Computer Geek? Try my Nerd Quiz http://shh.thathost.com/ http://nerdquiz.thathost.com/
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 10:08:48 PDT