Network Security: Detailed info on Security of magic_quotes

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Web-App-Sec

[Top] [All Lists]

Security of magic_quotes_gpc under PHP against SQL injection

from [Todd Hendricks] Network Security

[Permanent Link]

Subject:	Security of magic_quotes_gpc under PHP against SQL injection
Date:	Sun, 11 Dec 2005 00:55:38 -0600

I'm very curious as to what level of protection magic quotes provides against 
SQL injection attacks
(for MySQL, specifically) under PHP.  I have a rather lengthy app that relies 
upon magic_quotes_gpc
to sanitize database input, and information that goes straight back to the 
presentation layer from a
form is then stripslash'ed.

My question is, what are some ways around magic_quotes that I need to watch out 
for.. and as a
followup, if it's such a bad security idea, why was it included at all much 
less enabled by default
(this seems to smack of the register_globals problem, only to a lesser extent)?

I do understand that it would be a good idea to redo the entire app using 
mysql_real_escape, but in
this single-developer environment, I'd like to avoid doing a massive revamp 
unless it's of
penultimate importance to do so, because that cuts in to feature/usability 
development time.

Regards,
- Todd

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Security of magic_quotes_gpc under PHP against SQL injection, Todd Hendricks <= Re: Security of magic_quotes_gpc under PHP against SQL injection, Steve Slater Re: Security of magic_quotes_gpc under PHP against SQL injection, Peter Conrad Re: Security of magic_quotes_gpc under PHP against SQL injection, ascii Re: Security of magic_quotes_gpc under PHP against SQL injection, Stefano Di Paola

Previous by Date:	Forced invalid SQL errors, Steven M. Christey
Next by Date:	[Full-disclosure] Fuzzing testing webapp?, Mark Sec
Previous by Thread:	Forced invalid SQL errors, Steven M. Christey
Next by Thread:	Re: Security of magic_quotes_gpc under PHP against SQL injection, Steve Slater
Indexes:	[Date] [Thread] [Top] [All Lists]