Security Basics mailing list archives

Re: magic_quotes

From: Ben Sytko <bsytko () yahoo com>
Date: Mon, 20 Jun 2005 16:29:56 -0400

Well, from what I've read, SQL injections are still possible with
magic_quotes_gpc being on, although I do not know how to accomplish
this. Strictly speaking security, I personally, do not know of any other
threats by relying on magic quotes, but let me tell you why you
shouldn't use them:

1. Portability - Depending on weather or not another server has them on
or off can affect the code. If there off on another server, then you SQL
queries will fail if you try to input anything that needs to be escaped.
Consequently, if you code from them begin off, and they are on, you will
get to many slashes in front of escaped characters (ex. Tom\\\\'s).

2. Performance - When they are on, PHP needs to add slashes manually to
every piece of data.

I would recommend just using the addslashes function on all data that
needs to be inputted into the database, but make sure magic_quotes_gpc
is off. You can find more information about this here:

http://docs.php.net/en/security.magicquotes.html

-Ben

Current thread:

magic_quotes Pablo Fernández (Jun 20)
- RE: magic_quotes Steve Hillier (Jun 20)
  - Re: magic_quotes Christoph 'knurd' Jeschke (Jun 21)
    - RE: magic_quotes Steve Hillier (Jun 22)
    - Re: magic_quotes Pablo Fernández (Jun 22)
    - Re: magic_quotes Christoph 'knurd' Jeschke (Jun 22)
- Re: magic_quotes Ben Sytko (Jun 20)
- <Possible follow-ups>
- Re: RE: magic_quotes miguel . vieira (Jun 22)
- Re: magic_quotes maarten (Jun 24)
  - Re: magic_quotes Christoph 'knurd' Jeschke (Jun 27)
  - Re: magic_quotes mickael kael (Jun 27)
    - Re: magic_quotes Christoph 'knurd' Jeschke (Jun 28)
- Re: magic_quotes Tony Stahler (Jun 28)