Security Basics mailing list archives
RE: magic_quotes
From: "Steve Hillier" <securityfocus () mastermindtoys com>
Date: Mon, 20 Jun 2005 11:37:29 -0400
This isn't safe at all. Just try inserting ' OR 1=1; # into your $DATA->id and you'll see. You should be using mysql_escape_string() to sanitise your input strings if you're going to be using them as-is inside SQL statements. You should also consider using substr() to chop all but the length of string you are expecting. sph
-----Original Message----- From: Pablo Fernández [mailto:newsclient () teamq info] Sent: Friday, June 17, 2005 7:29 p To: security-basics () securityfocus com Subject: magic_quotes Hi everybody I been coding for the last couple of days with PHP+MySQL and I've been relaying A LOT in magic_quotes. I am wondering if it's (at least for the moment) a safe thing to do. For example, consider the following code $GDATA = (object) $_GET; $PDATA = (object) $_POST; if ($GDATA) $DATA = $GDATA; else $DATA = $PDATA; $q = mysql_query ("SELECT * FROM whatever WHERE id = '$DATA->id'"); How safe is this? I would appreciate hints & thoughts (TM) Thanks, Pablo Fernandez
Current thread:
- magic_quotes Pablo Fernández (Jun 20)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 22)
- Re: magic_quotes Pablo Fernández (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 22)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
- RE: magic_quotes Steve Hillier (Jun 20)
- Re: magic_quotes Ben Sytko (Jun 20)
- <Possible follow-ups>
- Re: RE: magic_quotes miguel . vieira (Jun 22)
- Re: magic_quotes maarten (Jun 24)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 27)
- Re: magic_quotes mickael kael (Jun 27)
- Re: magic_quotes Christoph 'knurd' Jeschke (Jun 28)