Home page logo
/

basics logo Security Basics mailing list archives

Re: magic_quotes
From: Ben Sytko <bsytko () yahoo com>
Date: Mon, 20 Jun 2005 16:29:56 -0400

Well, from what I've read, SQL injections are still possible with
magic_quotes_gpc being on, although I do not know how to accomplish
this. Strictly speaking security, I personally, do not know of any other
threats by relying on magic quotes, but let me tell you why you
shouldn't use them:

1. Portability - Depending on weather or not another server has them on
or off can affect the code. If there off on another server, then you SQL
queries will fail if you try to input anything that needs to be escaped.
Consequently, if you code from them begin off, and they are on, you will
get to many slashes in front of escaped characters (ex. Tom\\\\'s).

2. Performance - When they are on, PHP needs to add slashes manually to
every piece of data.

I would recommend just using the addslashes function on all data that
needs to be inputted into the database, but make sure magic_quotes_gpc
is off. You can find more information about this here:

http://docs.php.net/en/security.magicquotes.html

-Ben


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault