[nycphp-talk] Is there something wrong with this SQL query in PHP?
chsnyder at gmail.com
Wed Aug 15 09:31:51 EDT 2007
On 8/15/07, Anthony Wlodarski <aw at sap8.com> wrote:
> So I was doing some reading on magic quotes and wrote a simple check to see
> if it is on or not. On our box magic quotes are disabled (which is the way
> I would prefer it, I would rather manually add my own slashes to sequences
> that need it) but my shared hosting has magic quotes enabled. Now I know
> the admin of the shared hosting is not going to turn off magic quotes
> because not everyone that uses the services are diligent programmers.
See http://us3.php.net/manual/en/security.magicquotes.disabling.php --
you can either disable it in an .htaccess file at the web root, or you
can use get_magic_quotes_gpc() to check for it and, if on, apply
stripslashes() to input values.
The standard mysql_x() functions do not allow multiple queries, so
you're not so worried about someone injecting drop table statements.
Nevertheless, plenty of damage and/or disclosure can be performed with
just a single query.
The UN website was recently compromised due to SQL injection, by the
way, very embarassing for them.
More information about the talk