At 11:56 PM 5/28/02 +0000, Jacek Lach wrote: >Hi, > >I hope the list is right :-) You might get more help from the webappsec list. >Does the magic_quotes in php's configuration resolves the problem of sql >injection? Is this technique still a risk when the option is enabled? >Most documentation I found was presenting ASP examples, but simple entering ' >character doesn't work when this option is enabled (which is set in default >configuration). >Thanks for any answers and/or references on the subject. AFAIK magic_quotes is a bad[1] idea and design. It is a bad idea to combine input filtering with output filtering. You risk ending up with corrupted and inappropriately filtered data. For example if your app ever submits quoted data to itself (or other applications that don't require quoting) you end up misquoting. You start seeing stuff like \' in all the wrong places. Filters should be kept separate where possible. The various inputs to your app should be filtered so your app can cope, output to browsers should be filtered accordingly, output to different databases should be filtered accordingly and so on. If you find a program using magic_quotes, it's likely to have bad problems elsewhere. If the programmer forgets to put certain variables between single quotes, magic_quotes won't protect them. Cheerio, Link. [1] I'm strongly tempted to use much harsher words, thus this footnote ;).
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 13:37:55 PDT