mailing list archives
Re: AW: magic_quotes
From: Pablo Fernández <newsclient () teamq info>
Date: Mon, 20 Jun 2005 18:40:44 +0200
Well, this is what magic_quotes is all about... magic_quotes would
escape those ' so the actual statement would be:
SELECT * FROM whatever WHERE id = '\' OR (any_where_clause) OR id=\''
--- Begin Message ---
From: "Michael Kluge" <michael.kluge () wundermedia de>
Date: Mon, 20 Jun 2005 17:31:22 +0200
This is very unsafe! Imagine this case:
$DATA->id is "' OR (any_where_clause) OR id='"
So your SQL-Statement will be:
SELECT * FROM whatever WHERE id = '' OR (any_where_clause) OR id=''
So anybody can manipulate your SQL-Statment to return unwanted rows from your table.
This is an SQL injection vulnarability.
Better use something like mysql_escape_string().
I been coding for the last couple of days with PHP+MySQL and I've been
relaying A LOT in magic_quotes. I am wondering if it's (at
least for the
moment) a safe thing to do. For example, consider the following code
$GDATA = (object) $_GET;
$PDATA = (object) $_POST;
if ($GDATA) $DATA = $GDATA;
else $DATA = $PDATA;
$q = mysql_query ("SELECT * FROM whatever WHERE id = '$DATA->id'");
How safe is this?
I would appreciate hints & thoughts (TM)
--- End Message ---
- AW: magic_quotes Michael Kluge (Jun 20)
- Re: AW: magic_quotes Pablo Fernández (Jun 20)