Re: SQL injection

On Nov 3, 2005, at 4:26 , Alex Turner wrote:

> My point is that with magic_quotes on in PHP, php already escapes
> quotes for you in all inbound variables.  This makes the process
> automatic, and therefore fool proof, which is kinda the whole point.
> You want a mechanism that there isn't an easy way around, like
> forgetting to db_quote once in a while.  I'm just trying to find out
> if there is an example where magic quotes by itself doesn't work, and
> there is a viable injection attack possible, and if so, what it is, so
> I can figure out how to prevent it ;).


I'm wondering if using magic_quotes will have issues down the pipe
when backslash escaping is no longer the default in PostgreSQL to
follow SQL spec. Am I correct in thinking that either the SQL
statements would have to be rewritten to use E'' strings, the server
setting would have to allow the use of backslashes, or magic_quotes
would have to be turned off and variables otherwise escaped to
prevent SQL injection?

As an aside, it's interesting to see that the PHP documentation states:
---
Magic Quotes is a process that automagically escapes incoming data to
the PHP script. It's preferred to code with magic quotes off and to
instead escape the data at runtime, as needed.
---
http://jp.php.net/magic_quotes

Michael Glaesemann
grzm myrealbox com