Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: TWIG SQL query bugs
From: Ben Gollmer <ben () jatosoft com>
Date: Tue, 5 Jun 2001 17:31:10 -0500

Hi all:

I have been programming in PHP for quite some time. I can understand the confusion about magic_quotes, the situation is a tricky one.

from the manual:

magic_quotes_gpc boolean
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When magic_quotes are on, all ' (single-quote), " (double quote), \ (backslash) and NUL's are escaped with a backslash automatically. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

magic_quotes_runtime boolean
If magic_quotes_runtime is enabled, most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash. If magic_quotes_sybase is also on, a single-quote is escaped with a single-quote instead of a backslash.

So this statement

"Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL
statements to dbs I think you need to initialize magic_quotes_runtime
for the addslashes() default."

is partially incorrect. If you are INSERTing or UPDATEing to a database from a GET or POST operation and magic_quotes_gpc is on, then the data is already safe to put in the db. However, if you are SELECTing from a database, the data retrieved may not be safe unless magic_quotes_runtime is on (or you do an addslashes() on it).

magic_quotes_runtime is easy to turn on/off - just use set_magic_quotes_runtime(0 for off, 1 for on). magic_quotes_gpc is a different story, however.

"GPC means GET/POST/COOKIE which is actually EGPCS these days (Environment, GET, POST, Cookie, Server). This cannot be turned off in your script because it operates on the data before your script is called. You can check if it is on using that function and treat the data accordingly." --Rasmus Lerdorf, from the php-general mailing list

If you are unsure of how your service provider has PHP set up, you can check the output of get_magic_quotes_gpc(). Something like this at the top of each script should be sufficient:

<?php
    if(!get_magic_quotes_gpc())
    {
for (reset($HTTP_GET_VARS); list($k, $v) = each($HTTP_GET_VARS); )
         $$k = addslashes($v);
for (reset($HTTP_POST_VARS); list($k, $v) = each($HTTP_POST_VARS); )
         $$k = addslashes($v);
for (reset($HTTP_COOKIE_VARS); list($k, $v) = each($HTTP_COOKIE_VARS); )
         $$k = addslashes($v);
   }
?>

This will make sure all GPC data in your script is safe. If your service provider allows you to have customized .htaccess file(s), placing this line

php_value magic_quotes_gpc 1

in the file will ensure magic_quotes_gpc is turned on (or off). Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon).

<?php error_reporting(E_ALL); ?>

This line at the top of your script(s) will do the trick. It would be advisable to remove it before you put the script(s) on a production server, however.


Ben Gollmer

On Saturday, June 2, 2001, at 06:37 AM, Gunther Birznieks wrote:

The problem with magic_quotes_gpc is that it is a global variable in PHP. Many sysadmins turn it off because they may be using a program that requires them not to be escaped. At least I understand this from a talk on advanced PHP techniques someone gave at ApacheCon a few months ago.

Unfortunately, I don't think magic_quotes_runtime is on by default if it does what you say. The manual says it affects DB routines that return data which implies it affects data returned, it doesn't mention anything about the DB routines that only accept input parameters and never return anything.

Maybe someone with more PHP experience and a handy PHP engine could verify this.

Many of the books that I have seen on PHP *assume* when they teach programmers that magic_quotes_gpc is ON in their security model because this is how PHP is set up by default.

Unfortunately, this is not the truth and I can only imagine that there must be many PHP scripts out there that also follow this assumption -- because the people who write the code are probably reading these books and learning to code that way.
__________________________
Gunther Birznieks (gunther.birznieks () eXtropia com)
eXtropia - The Open Web Technology Company
http://www.eXtropia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]