Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Magic Quotes question

from [Sanjay R] Network Security [Permanent Link]
Subject: Re: Magic Quotes question
Date: Tue, 23 Jan 2007 09:42:45 +0530 
the reply may not be directly addressing your issues, but can give
some inkling (read from Shiflett's article)....
in case, GBK character set is involved, you can try using intelligent
encoding. In GBK, 0xbf27 is not a valid multi-byte character, but
0xbf5c is a valid one. so, what does it say? we assume that
addslashes() is being used. so, for single quotes 0x27, we will write
0xbf27. addslashes will change this to 0xbf5c27 i.e 0xbf5c and 0x27.

On 1/20/07, Tim <tim-pentest@sentinelchicken.org> wrote: 
> Why wouldnt you just put the escape function inside of the database
> query et al API function and then make a run-time configuration where
> it could be turned off? So that only strings passed to the database
> are escaped, they are always escaped unless you specifically turn it
> off and its use is transparent to the end user? i.e.
>
> EXPORTED_API_T
> database_query(query, ...)
> {
>        if (getconfig->add_slashes)
>                add_slashes(query);
>
>       db_query(query, ...);
> }


That's the whole idea behind perpared statements, and you should always
use them.  For a while PHP didn't even have this kind of API (does it
even have that now?), which is quite alarming, but more sensible
languages (e.g. Perl, Python, etc) have had them for a long time.

For those not familiar, a prepared statement in Python might look like:

 query = "SELECT * FROM foo WHERE firstname=?"
 cursor->execute(query, "Joe")


Notice how nice it is to have a decent API?  No work on your part and no
foolish hacks like addslashes() or magic quotes.

tim

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------




--
PhD
Intoto Softwares, Hyderabad, India

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Magic Quotes question, Tim
Next by Date:  Wikto and googling, Nicolás F. Iglesias
Previous by Thread:  Re: Magic Quotes question, Tim
Next by Thread:  Wikto and googling, Nicolás F. Iglesias
Indexes:  [Date] [Thread] [Top] [All Lists]