[20868] in bugtraq
Re: TWIG SQL query bugs
daemon@ATHENA.MIT.EDU (Gunther Birznieks)
Tue Jun 5 16:06:01 2001
Message-Id: <5.0.0.25.2.20010602193042.01c85fe0@mail.clark.net>
Date: Sat, 02 Jun 2001 19:37:53 +0800
To: kj <kj@indifference.org>, bugtraq@securityfocus.com
From: Gunther Birznieks <gunther@extropia.com>
In-Reply-To: <20010531094837.B45326@indifference.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
At 09:48 AM 5/31/2001 -0700, kj wrote:
> > PHP used to have an option to automatically use addslashes() on any
> variable
> > passed to it via POST or GET. Please see your PHP.INI file and set the
> > appropriate setting for "magic_quotes_gpc"
>
>
>Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL
>statements to dbs I think you need to initialize magic_quotes_runtime
>for the addslashes() default.
The problem with magic_quotes_gpc is that it is a global variable in PHP.
Many sysadmins turn it off because they may be using a program that
requires them not to be escaped. At least I understand this from a talk on
advanced PHP techniques someone gave at ApacheCon a few months ago.
Unfortunately, I don't think magic_quotes_runtime is on by default if it
does what you say. The manual says it affects DB routines that return data
which implies it affects data returned, it doesn't mention anything about
the DB routines that only accept input parameters and never return anything.
Maybe someone with more PHP experience and a handy PHP engine could verify
this.
Many of the books that I have seen on PHP *assume* when they teach
programmers that magic_quotes_gpc is ON in their security model because
this is how PHP is set up by default.
Unfortunately, this is not the truth and I can only imagine that there must
be many PHP scripts out there that also follow this assumption -- because
the people who write the code are probably reading these books and learning
to code that way.
>K.J.
__________________________________________________
Gunther Birznieks (gunther.birznieks@eXtropia.com)
eXtropia - The Open Web Technology Company
http://www.eXtropia.com/
