Can someone shed some light on how "SQL injection" attack occurs when *magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my understanding apostrophise are escaped automatically in POST/GET/COOKIE when its ON, so how it tends towards SQL Injection.
Someone suggested to keep magic_quotes_qpc OFF through .htaccess file and use following line of codes to prevent attacks at start of the file...
<?php
/**
* Checks for magic_quotes_gpc = On and strips them from incoming
* requests if necessary
*/
if (get_magic_quotes_gpc()) {
$_GET = array_map('stripslashes', $_GET);
$_POST = array_map('stripslashes', $_POST);
$_COOKIE = array_map('stripslashes', $_COOKIE);
}
?>But unfortunately it does not work for nested POST requests. do anyone have better idea?
Secondly why we have to stripslashes while DB (mysql for example) is doing it for us on execution and another question arises doesn't it prevent from SQL injection attack when apostrophise are escaped in query.
*What is the best practices handling 'quotation marks' in input string and how to prevent SQL injection.
*Looking forward for some advice from panel of experts on forum. Thanks and have a nice day!*
*Cheers! *Tariq*
