NYCPHP Meetup

[nycphp-talk] Is there something wrong with this SQL query in PHP?

csnyder chsnyder at gmail.com
Wed Aug 15 09:31:51 EDT 2007


On 8/15/07, Anthony Wlodarski <aw at sap8.com> wrote:
>
> So I was doing some reading on magic quotes and wrote a simple check to see
> if it is on or not.  On our box magic quotes are disabled (which is the way
> I would prefer it, I would rather manually add my own slashes to sequences
> that need it) but my shared hosting has magic quotes enabled.  Now I know
> the admin of the shared hosting is not going to turn off magic quotes
> because not everyone that uses the services are diligent programmers.

See http://us3.php.net/manual/en/security.magicquotes.disabling.php --
you can either disable it in an .htaccess file at the web root, or you
can use get_magic_quotes_gpc() to check for it and, if on, apply
stripslashes() to input values.

The standard mysql_x() functions do not allow multiple queries, so
you're not so worried about someone injecting drop table statements.
Nevertheless, plenty of damage and/or disclosure can be performed with
just a single query.

The UN website was recently compromised due to SQL injection, by the
way, very embarassing for them.

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list