From: DokFLeed (dokfleeddokfleed.net)
Date: Tue Oct 10 2006 - 03:39:50 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

but that is in GBK and only against add slashes.
if magic quotes is on, and you do not add any other means of filtering, it
works fine.
and you are protected, however you can still inject normal SQL ( , ; CHAR( ,
etc...)
it looks like as long as the developer expresses their variables as '$x'
instead of $x they are safe.

Dok

----- Original Message -----
From: "Chris Shiflett" <chrisshiflett.org>
To: "DokFLeed" <dokfleeddokfleed.net>
Cc: <webappsecsecurityfocus.com>
Sent: Tuesday, October 10, 2006 5:39 AM
Subject: Re: Magic Quotes

> DokFLeed wrote:
>> I am researching in bypassing Magic Quotes enforced by PHP
>
> You might be interested in this post:
>
> http://shiflett.org/archive/184
>
> Magic quotes isn't an ideal approach, because it escapes input (in a
> generic and incomplete way) for one particular purpose. This complicates
> input filtering (having to account for extra characters), provides a
> false sense of security, pushes responsibility to the configuration of
> the environment, can't be relied upon (requires every PHP developer to
> write inelegant code to deal with the lack of predictability), etc.
>
> It is also being removed.
>
> Chris
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to
use AppScan in client engagements. AppScan is the leading Web application
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]