Hi all:
I have been programming in PHP for quite some time. I can understand the
confusion about magic_quotes, the situation is a tricky one.
from the manual:
magic_quotes_gpc boolean
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When
magic_quotes are on, all ' (single-quo
> >Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL
> >statements to dbs I think you need to initialize magic_quotes_runtime
> >for the addslashes() default.
>
> The problem with magic_quotes_gpc is that it is a global variable in PHP.
> Many sysadmins turn it off because they may
At 09:48 AM 5/31/2001 -0700, kj wrote:
> > PHP used to have an option to automatically use addslashes() on any
> variable
> > passed to it via POST or GET. Please see your PHP.INI file and set the
> > appropriate setting for "magic_quotes_gpc"
>
>
>Isn't the "magic_quotes_gpc" only for GET/POST/
On Wed, 30 May 2001, Ryan Fox wrote:
> One more point here.
>
> > Simply adding a quote is not the proper way to handle this in PHP.
>
> Not really. There are other malicious characters that can be used in sql
> statements. The one in the front of my mind is ";", used to terminate a
> query and
> PHP used to have an option to automatically use addslashes() on any variable
> passed to it via POST or GET. Please see your PHP.INI file and set the
> appropriate setting for "magic_quotes_gpc"
Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL
statements to dbs I think you need
> Good programming practice is to code a function specifically to strip any
> possible malicious characters out of strings, and wrap it around every
> variable put into a query, whether it should be user-supplied or not.
> Addslashes is a good function to call from your stripping function, but it
Ryan Fox wrote:
>
> One more point here.
>
> > Simply adding a quote is not the proper way to handle this in PHP.
>
> Not really. There are other malicious characters that can be used in sql
> statements. The one in the front of my mind is ";", used to terminate a
> query and begin a new one.
One more point here.
> Simply adding a quote is not the proper way to handle this in PHP.
Not really. There are other malicious characters that can be used in sql
statements. The one in the front of my mind is ";", used to terminate a
query and begin a new one. Think of $IDNumber=";drop datab
I can't find the person who really in charge on developing twig, so I
mail about this bug to the person who announce new version of twig
about two month ago.
--
Subject: Unquoted SQL query => potential damage
So
