Home page logo

bugtraq logo Bugtraq mailing list archives

Re: TWIG SQL query bugs
From: Gunther Birznieks <gunther () extropia com>
Date: Sat, 02 Jun 2001 19:37:53 +0800

At 09:48 AM 5/31/2001 -0700, kj wrote:
> PHP used to have an option to automatically use addslashes() on any variable
> passed to it via POST or GET.  Please see your PHP.INI file and set the
> appropriate setting for "magic_quotes_gpc"

Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL
statements to dbs I think you need to initialize magic_quotes_runtime
for the addslashes() default.

The problem with magic_quotes_gpc is that it is a global variable in PHP. Many sysadmins turn it off because they may be using a program that requires them not to be escaped. At least I understand this from a talk on advanced PHP techniques someone gave at ApacheCon a few months ago.

Unfortunately, I don't think magic_quotes_runtime is on by default if it does what you say. The manual says it affects DB routines that return data which implies it affects data returned, it doesn't mention anything about the DB routines that only accept input parameters and never return anything.

Maybe someone with more PHP experience and a handy PHP engine could verify this.

Many of the books that I have seen on PHP *assume* when they teach programmers that magic_quotes_gpc is ON in their security model because this is how PHP is set up by default.

Unfortunately, this is not the truth and I can only imagine that there must be many PHP scripts out there that also follow this assumption -- because the people who write the code are probably reading these books and learning to code that way.


Gunther Birznieks (gunther.birznieks () eXtropia com)
eXtropia - The Open Web Technology Company

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]