Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: TWIG SQL query bugs
From: kj <kj () indifference org>
Date: Sat, 2 Jun 2001 10:20:37 -0700

Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL
statements to dbs I think you need to initialize magic_quotes_runtime
for the addslashes() default.

The problem with magic_quotes_gpc is that it is a global variable in PHP. 
Many sysadmins turn it off because they may be using a program that 
requires them not to be escaped. At least I understand this from a talk on 
advanced PHP techniques someone gave at ApacheCon a few months ago.


That's true, though one can test for those functions by using the:

get_magic_quotes_gpc() and get_magic_quotes_runtime()

Then compensate accordingly like:

(from http://www.php.net/manual/en/function.get-magic-quotes-gpc.php)

myAddSlashes($st) { 
        if (get_magic_quotes_gpc()==1) { 
                return $st; 
        } else { 
                return AddSlashes($st); 
        } 
}


Unfortunately, I don't think magic_quotes_runtime is on by default if it 
does what you say. The manual says it affects DB routines that return data 
which implies it affects data returned, it doesn't mention anything about 
the DB routines that only accept input parameters and never return anything.


Yes, I think you're right (from:
http://www.php.net/manual/en/configuration.php#ini.magic-quotes-runtime)

magic_quotes_runtime boolean

If magic_quotes_runtime is enabled, most
functions that return data from any sort
of external source including databases and text
files will have quotes escaped with a
backslash. If magic_quotes_sybase is also on, a
single-quote is escaped with a
single-quote instead of a backslash.


I never have enabled that configuration, and just assumed it was data
going in to the db.


Maybe someone with more PHP experience and a handy PHP engine could verify 
this.

Many of the books that I have seen on PHP *assume* when they teach 
programmers  that magic_quotes_gpc is ON in their security model because 
this is how PHP is set up by default.


It is on the standard php.ini (for php4), but there is an optimized
version as well where at the top of that php.ini one of the things
listed is:

; - magic_quotes_gpc = Off
;     Input data is no longer escaped with slashes so that it can be
;     sent into SQL databases without further manipulation.  Instead,
;     you should use the function addslashes() on each input element you
;     wish to send to a database.


Hmm...after reading that, I guess you were right with your initial
statement. That magic_quotes_gpc does slash into the db as well.

Oh well, at least that's cleared up for me too :)

K.J.

-- 

        http://www.indifference.org

"The downfall of mankind will be his indifference...ah, but who cares."


---------- In God we trust...everything else we use X.509 -----------
Key ID = 57E3FDF9 (keyserver: pgp.mit.edu)
Key fingerprint = 1C2C 6CE7 A351 11D1 A5B0  741A DCCA 22C4 57E3 FDF9
---------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault