On Nov 3, 2005, at 4:26 , Alex Turner wrote:
My point is that with magic_quotes on in PHP, php already escapes
quotes for you in all inbound variables. This makes the process
automatic, and therefore fool proof, which is kinda the whole point.
You want a mechanism that there isn't an easy way around, like
forgetting to db_quote once in a while. I'm just trying to find out
if there is an example where magic quotes by itself doesn't work, and
there is a viable injection attack possible, and if so, what it is, so
I can figure out how to prevent it ;).
I'm wondering if using magic_quotes will have issues down the pipe
when backslash escaping is no longer the default in PostgreSQL to
follow SQL spec. Am I correct in thinking that either the SQL
statements would have to be rewritten to use E'' strings, the server
setting would have to allow the use of backslashes, or magic_quotes
would have to be turned off and variables otherwise escaped to
prevent SQL injection?
As an aside, it's interesting to see that the PHP documentation states:
---
Magic Quotes is a process that automagically escapes incoming data to
the PHP script. It's preferred to code with magic quotes off and to
instead escape the data at runtime, as needed.
---
http://jp.php.net/magic_quotes
Michael Glaesemann
grzm myrealbox com
---------------------------(end of broadcast)---------------------------
TIP 5: don't forget to increase your free space map settings
