Home page logo
/

basics logo Security Basics mailing list archives

Re: AW: magic_quotes
From: Pablo Fernández <newsclient () teamq info>
Date: Mon, 20 Jun 2005 18:40:44 +0200

Well, this is what magic_quotes is all about... magic_quotes would
escape those ' so the actual statement would be:

SELECT * FROM whatever WHERE id = '\' OR (any_where_clause) OR id=\''

Best regards,
Pablo

--- Begin Message --- From: "Michael Kluge" <michael.kluge () wundermedia de>
Date: Mon, 20 Jun 2005 17:31:22 +0200
Hello!

This is very unsafe! Imagine this case:
$DATA->id is "' OR (any_where_clause) OR id='"

So your SQL-Statement will be:
SELECT * FROM whatever WHERE id = '' OR (any_where_clause) OR id=''

So anybody can manipulate your SQL-Statment to return unwanted rows from your table.

This is an SQL injection vulnarability.

Better use something like mysql_escape_string().

See:
http://www.php.net/manual/en/function.mysql-escape-string.php


Regards,
Michael.


Hi everybody

I been coding for the last couple of days with PHP+MySQL and I've been
relaying A LOT in magic_quotes. I am wondering if it's (at 
least for the
moment) a safe thing to do. For example, consider the following code

$GDATA = (object) $_GET;
$PDATA = (object) $_POST;

if ($GDATA) $DATA = $GDATA;
else        $DATA = $PDATA;

$q = mysql_query ("SELECT * FROM whatever WHERE id = '$DATA->id'");

How safe is this?

I would appreciate hints & thoughts (TM)

Thanks,
Pablo Fernandez



--- End Message ---

  By Date           By Thread  

Current thread:
  • AW: magic_quotes Michael Kluge (Jun 20)
    • Re: AW: magic_quotes Pablo Fernández (Jun 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]