List:General Discussion« Previous MessageNext Message »
From:Tariq Murtaza Date:March 19 2004 6:40pm
Subject:Guru's advice needed ........[Security: SQL injection]
View as plain text  
*Dear Friends!*

Can someone shed some light  on how "SQL injection" attack occurs when 
*magic_quotes_gpc *is"ON" and how it prevents when its "OFF". To my 
understanding  apostrophise are escaped automatically in POST/GET/COOKIE 
when its ON, so how it tends towards SQL Injection.

Someone suggested to keep magic_quotes_qpc OFF through .htaccess file 
and use following line of codes to prevent attacks at start of the file...

 * Checks for magic_quotes_gpc = On and strips them from incoming
 * requests if necessary
if (get_magic_quotes_gpc()) {
  $_GET    = array_map('stripslashes', $_GET);
  $_POST   = array_map('stripslashes', $_POST);
  $_COOKIE = array_map('stripslashes', $_COOKIE);

But unfortunately it does not work for nested POST requests. do anyone 
have better idea?
Secondly why we have to stripslashes while DB (mysql for example) is 
doing it for us on execution and another question arises doesn't it 
prevent from SQL injection attack when apostrophise are escaped in query.

*What is the best practices handling 'quotation marks'  in input string 
and how to prevent SQL injection.

*Looking forward for some advice from panel of experts on forum.
Thanks and have a nice day!*


Guru's advice needed ........[Security: SQL injection]Tariq Murtaza19 Mar
  • Re: Guru's advice needed ........[Security: SQL injection]Jigal van Hemert19 Mar
  • Re: Guru's advice needed ........[Security: SQL injection]Martijn Tonies19 Mar
  • RE: Guru's advice needed ........[Security: SQL injection]Matt Chatterley19 Mar