[20880] in bugtraq
Re: TWIG SQL query bugs
daemon@ATHENA.MIT.EDU (Ben Gollmer)
Tue Jun 5 21:51:24 2001
Message-ID: <20010605223936.24625.qmail@securityfocus.com>
Date: Tue, 5 Jun 2001 17:31:10 -0500
Content-Type: text/plain;
format=flowed;
charset=us-ascii
From: Ben Gollmer <ben@jatosoft.com>
To: bugtraq@securityfocus.com
Mime-Version: 1.0 (Apple Message framework v388)
In-Reply-To: <5.0.0.25.2.20010602193042.01c85fe0@mail.clark.net>
Content-Transfer-Encoding: 7bit
Hi all:
I have been programming in PHP for quite some time. I can understand the
confusion about magic_quotes, the situation is a tricky one.
from the manual:
magic_quotes_gpc boolean
Sets the magic_quotes state for GPC (Get/Post/Cookie) operations. When
magic_quotes are on, all ' (single-quote), " (double quote), \
(backslash) and NUL's are escaped with a backslash automatically. If
magic_quotes_sybase is also on, a single-quote is escaped with a
single-quote instead of a backslash.
magic_quotes_runtime boolean
If magic_quotes_runtime is enabled, most functions that return data from
any sort of external source including databases and text files will have
quotes escaped with a backslash. If magic_quotes_sybase is also on, a
single-quote is escaped with a single-quote instead of a backslash.
So this statement
"Isn't the "magic_quotes_gpc" only for GET/POST/COOKIES. For SQL
statements to dbs I think you need to initialize magic_quotes_runtime
for the addslashes() default."
is partially incorrect. If you are INSERTing or UPDATEing to a database
from a GET or POST operation and magic_quotes_gpc is on, then the data
is already safe to put in the db. However, if you are SELECTing from a
database, the data retrieved may not be safe unless magic_quotes_runtime
is on (or you do an addslashes() on it).
magic_quotes_runtime is easy to turn on/off - just use
set_magic_quotes_runtime(0 for off, 1 for on). magic_quotes_gpc is a
different story, however.
"GPC means GET/POST/COOKIE which is actually EGPCS these days
(Environment, GET, POST, Cookie, Server).
This cannot be turned off in your script because it operates on the data
before your script is called. You can check if it is on using that
function and treat the data accordingly." --Rasmus Lerdorf, from the
php-general mailing list
If you are unsure of how your service provider has PHP set up, you can
check the output of get_magic_quotes_gpc(). Something like this at the
top of each script should be sufficient:
<?php
if(!get_magic_quotes_gpc())
{
for (reset($HTTP_GET_VARS); list($k, $v) =
each($HTTP_GET_VARS); )
$$k = addslashes($v);
for (reset($HTTP_POST_VARS); list($k, $v) =
each($HTTP_POST_VARS); )
$$k = addslashes($v);
for (reset($HTTP_COOKIE_VARS); list($k, $v) =
each($HTTP_COOKIE_VARS); )
$$k = addslashes($v);
}
?>
This will make sure all GPC data in your script is safe. If your service
provider allows you to have customized .htaccess file(s), placing this
line
php_value magic_quotes_gpc 1
in the file will ensure magic_quotes_gpc is turned on (or off). Working
with PHP in error_reporting(E_ALL) mode can also help warn you about
variables being used before they are checked or initialized (so you can
prevent unusual data from being operated upon).
<?php error_reporting(E_ALL); ?>
This line at the top of your script(s) will do the trick. It would be
advisable to remove it before you put the script(s) on a production
server, however.
Ben Gollmer
On Saturday, June 2, 2001, at 06:37 AM, Gunther Birznieks wrote:
>
> The problem with magic_quotes_gpc is that it is a global variable in
> PHP. Many sysadmins turn it off because they may be using a program
> that requires them not to be escaped. At least I understand this from a
> talk on advanced PHP techniques someone gave at ApacheCon a few months
> ago.
>
> Unfortunately, I don't think magic_quotes_runtime is on by default if
> it does what you say. The manual says it affects DB routines that
> return data which implies it affects data returned, it doesn't mention
> anything about the DB routines that only accept input parameters and
> never return anything.
>
> Maybe someone with more PHP experience and a handy PHP engine could
> verify this.
>
> Many of the books that I have seen on PHP *assume* when they teach
> programmers that magic_quotes_gpc is ON in their security model
> because this is how PHP is set up by default.
>
> Unfortunately, this is not the truth and I can only imagine that there
> must be many PHP scripts out there that also follow this assumption --
> because the people who write the code are probably reading these books
> and learning to code that way.
> __________________________
> Gunther Birznieks (gunther.birznieks@eXtropia.com)
> eXtropia - The Open Web Technology Company
> http://www.eXtropia.com/
