but that is in GBK and only against add slashes.
if magic quotes is on, and you do not add any other means of filtering, it
works fine.
and you are protected, however you can still inject normal SQL ( , ; CHAR( ,
etc...)
it looks like as long as the developer expresses their variables as '$x'
instead of $x they are safe.
Dok
----- Original Message -----
From: "Chris Shiflett" <chris@shiflett.org>
To: "DokFLeed" <dokfleed@dokfleed.net>
Cc: <webappsec@securityfocus.com>
Sent: Tuesday, October 10, 2006 5:39 AM
Subject: Re: Magic Quotes
DokFLeed wrote:
I am researching in bypassing Magic Quotes enforced by PHP
You might be interested in this post:
http://shiflett.org/archive/184
Magic quotes isn't an ideal approach, because it escapes input (in a
generic and incomplete way) for one particular purpose. This complicates
input filtering (having to account for extra characters), provides a
false sense of security, pushes responsibility to the configuration of
the environment, can't be relied upon (requires every PHP developer to
write inelegant code to deal with the lack of predictability), etc.
It is also being removed.
Chris
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire has new programs available for pen testers and consultants to
use AppScan in client engagements. AppScan is the leading Web application
assessment tool. Want to see it for yourself? Take a look today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------
