[20869] in bugtraq
Re: TWIG SQL query bugs
daemon@ATHENA.MIT.EDU (kj)
Tue Jun 5 16:19:32 2001
Date: Sat, 2 Jun 2001 10:20:37 -0700
From: kj <kj@indifference.org>
To: bugtraq@securityfocus.com
Message-ID: <20010602102037.A99980@indifference.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <5.0.0.25.2.20010602193042.01c85fe0@mail.clark.net>; from gunther@extropia.com on Sat, Jun 02, 2001 at 07:37:53PM +0800
> >Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL
> >statements to dbs I think you need to initialize magic_quotes_runtime
> >for the addslashes() default.
>
> The problem with magic_quotes_gpc is that it is a global variable in PHP.
> Many sysadmins turn it off because they may be using a program that
> requires them not to be escaped. At least I understand this from a talk on
> advanced PHP techniques someone gave at ApacheCon a few months ago.
That's true, though one can test for those functions by using the:
get_magic_quotes_gpc() and get_magic_quotes_runtime()
Then compensate accordingly like:
(from http://www.php.net/manual/en/function.get-magic-quotes-gpc.php)
myAddSlashes($st) {
if (get_magic_quotes_gpc()==1) {
return $st;
} else {
return AddSlashes($st);
}
}
> Unfortunately, I don't think magic_quotes_runtime is on by default if it
> does what you say. The manual says it affects DB routines that return data
> which implies it affects data returned, it doesn't mention anything about
> the DB routines that only accept input parameters and never return anything.
Yes, I think you're right (from:
http://www.php.net/manual/en/configuration.php#ini.magic-quotes-runtime)
magic_quotes_runtime boolean
If magic_quotes_runtime is enabled, most
functions that return data from any sort
of external source including databases and text
files will have quotes escaped with a
backslash. If magic_quotes_sybase is also on, a
single-quote is escaped with a
single-quote instead of a backslash.
I never have enabled that configuration, and just assumed it was data
going in to the db.
> Maybe someone with more PHP experience and a handy PHP engine could verify
> this.
>
> Many of the books that I have seen on PHP *assume* when they teach
> programmers that magic_quotes_gpc is ON in their security model because
> this is how PHP is set up by default.
It is on the standard php.ini (for php4), but there is an optimized
version as well where at the top of that php.ini one of the things
listed is:
; - magic_quotes_gpc = Off
; Input data is no longer escaped with slashes so that it can be
; sent into SQL databases without further manipulation. Instead,
; you should use the function addslashes() on each input element you
; wish to send to a database.
Hmm...after reading that, I guess you were right with your initial
statement. That magic_quotes_gpc does slash into the db as well.
Oh well, at least that's cleared up for me too :)
K.J.
--
http://www.indifference.org
"The downfall of mankind will be his indifference...ah, but who cares."
---------- In God we trust...everything else we use X.509 -----------
Key ID = 57E3FDF9 (keyserver: pgp.mit.edu)
Key fingerprint = 1C2C 6CE7 A351 11D1 A5B0 741A DCCA 22C4 57E3 FDF9
---------------------------------------------------------------------
