SQL-injection attack? (Re: Help with urlencode and rawurlencode)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Justin Clift schrieb:
> "Duncan Adams (DNS)" wrote:
> <snip>
> > ......host_table.hostname ilike \'%omc%\' order by....
> > on the next page.
> 
> It sounds like you have the PHP variable "magic_quotes_gpc" set On in
> your "php.ini" configuration file.  If you turn this off (can't remember
> if it's possible with a function) then it will probably fix your
> problem.

Had the same problem here a few minutes ago. If you don't want to turn
off magic_quotes_gpc globally (for most things it is very useful,
IMHO), try "stripslashes()" for problematic strings.

I'm not sure, but stripping slashes could offer a possibility of
inserting "SQL-injection" attacks. Think about "'; delete from table
xyz; select '" typed into a search field. More complicated queries to
get the table names of a db could be possible. Maybe it helps, if
queries containing a ";" are rejected.

Knut Sübert


[Index of Archives]     [Postgresql General]     [Postgresql Admin]     [PHP Users]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Backpacking]     [Postgresql Jobs]

  Powered by Linux