On Wed, 7 Jul 2004 10:31:17 -0700, Brian Dunning <[EMAIL PROTECTED]> wrote:The PHP directive magic_quotes_gpc is on by default, and it essentially runs addslashes() on all GET, POST, and COOKIE data.
Why doesn't this automatically prevent injections, since it escapes out any single quotes they try to submit?
magic_quotes_gpc *should* fix all SQL injection attacks that come
straight from $_GET, $_POST, and $_COOKIE,
No, it'll simple escape quotes in strings that are passed into those variables. If the injected SQL doesn't have any quotes and you're not quoting it in your SQL statement, then there's no protection.
> The proper way to handle this is to turn > off magic quotes and do whatever
escaping your code needs *when it needs it*.
This is fine if you control every server you develop on, but most people can't do that.
Write your own escaping function that detects the magic_quotes_gpc setting and act accordingly. Pass flags for whether your escaping the data for insertion into a database or for displaying in HTML. Turn off magic_quotes_runtime within your script, too.
-- ---John Holmes...
Amazon Wishlist: www.amazon.com/o/registry/3BEXC84AB3A5E/
php|architect: The Magazine for PHP Professionals – www.phparch.com
-- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
