* Richard Lynch <ceo@xxxxxxxxx>: > Jeff McKeon wrote: > > Does having magic-quotes=on prevent an attacker from using a urlized sql > > inject query? > > Not likely. > > Magic Quotes is a convenience feature, not a security feature. > > Magic Quotes is oft-understood, even by journeymen PHP programmers. oft-MISunderstood... ;-) > Magic Quotes takes all incoming POST/GET data and calls > http://php.net/addslashes on it before you see it. <snip> > The thing that always kills me is when programmers call stripslashes on > data that comes *OUT* of MySQL. No, no, no, no. Whatever it is you did, > or think you are doing, or think you are fixing, that's WRONG. > > Maybe you called addslashes twice, once with Magic Quotes, and once "by > hand" and that's how the data in the database got screwed up. > > Or maybe you just don't understand WHY addslashes does what it does. > > But calling stripslashes on data coming OUT of MySQL is WRONG. Umm... I hate to disagree with you, but this depends entirely on your server settings. It is only wrong if you have magic_quotes_runtime set to off. If magic_quotes_runtime is ON, then, as the manual says, "most functions that return data from any sort of external source including databases and text files will have quotes escaped with a backslash." In other words, if magic_quotes_runtime is ON, you *will* need to run stripslashes on data returned from your database if you don't want quotes escaped with a backslash. -- Matthew Weier O'Phinney | mailto:matthew@xxxxxxxxxx Webmaster and IT Specialist | http://www.garden.org National Gardening Association | http://www.kidsgardening.com 802-863-5251 x156 | http://nationalgardenmonth.org -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
