Home page logo
/

basics logo Security Basics mailing list archives

Re: magic_quotes
From: mickael kael <mickael.kael () gmail com>
Date: Sat, 25 Jun 2005 15:35:15 +0200

Hello,

Sorry to deviate the subject of the thread.

I see some code which use %2527 to bypass magic_quotes because %25
correspond to %. I try this technic with this code

(this is just a code for testing)
code : $sql = "SELECT nom FROM log where id='$id'";
url : test.php?id=999%2527%20UNION%20ALL%20SELECT%20nom%20FROM%20log%20where%20id=1/*
result : SELECT nom FROM log where id='999%27 UNION ALL SELECT nom
FROM log where id=1/*'

But it don't work, i think, Mysql not interpret %27.
I read on the thread that it is possible to bypass magic_quotes, but i
don't find any solution. So if someone say it is possible, it will be
interessant to have a poc.

Thanks in advance,

Mk,
On 23 Jun 2005 08:30:59 -0000, maarten () webfauna com
<maarten () webfauna com> wrote:
I agree that magic quotes is not a very nice solution. Although it makes it a little harder to manipulate queries, it 
will make your code less clear. Some strings in you application are escaped (from POST data) and some are not (e.g. 
from database.) Sometimes it's not completly clear what the origin of a variable (string) is.
I think it's easier and safer if you can concider all strings to be unescaped and make sure you escape them in a 
query.
You need clear and easy to understand code to make your application secure.

In this case, I'd also use the intval() function. If you want an integer value, this makes sure it is.

Greets,
Maarten



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]