Home page logo
/

basics logo Security Basics mailing list archives

Re: magic_quotes
From: Christoph 'knurd' Jeschke <christoph.jeschke () gmail com>
Date: Wed, 22 Jun 2005 12:33:13 +0200

Pablo Fernández wrote:

Again, the question I asked is in the scenario where magic_quotes *IS
ENABLED*

Through casting the GET/POST to object, PHP will warn/error you, if
there is something rotten in the $(G|P)DATA-string when it's evaluated
at mysql_query() - if PHP is not bogus - something you really can't rely
on (Bugs are everywhere!).

But if you only rely on magic_quotes_runtime (MQR), your application
will be easily affected, if the MQR-mechanism is not as good as you
thought. So use additionally mysql_real_escape_string and Stored
Procedures. Second and third defense line are always good.

Ah, and ... use $_REQUEST so you don't have to check where the data came
from. And don't forget a acceptable error handling (and logging).

Greetings,
Chris


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]