From: "Tariq Murtaza" <tariq@stripped>
> Can someone shed some light on how "SQL injection" attack occurs when
> *magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my
> understanding apostrophise are escaped automatically in POST/GET/COOKIE
> when its ON, so how it tends towards SQL Injection.
magic_quotes_gpc ON is supposed to do an addslashes automatically for all
get, post and cookie data.
> *What is the best practices handling 'quotation marks' in input string
> and how to prevent SQL injection.
The best way to prevent SQL injection is to check user input yourself.
Never, ever trust any data from an external source.
Check numerical data: make sure it's numerical and within the range you
Check string data: make sure it contains the characters you support and
filter out any other characters, make sure it meets the other requirements
you defined (size, etc.). If necessary modify the data or reject it
I never use user input to include a script just like that, but always verify
it first to make sure it's in the list of scripts that can be included...
If you want to supply "free text search" than you can easily filter out a
list of punctuation characters that are not supported by the free text
search you implemented. If you filter out enough it will render an SQL query
that was posted to your script invalid, and effectively prevent an SQL
Happy coding! Jigal.