Re: Magic Quotes question

From: Ronald Chmara (ron@Opus1.COM)
Date: Fri Jan 19 2007 - 06:02:46 EST

• Next message: Marco Ramilli: "Re: Automated Nmap Scans / Front End"
• Previous message: Javier Fernández-Sanguino: "Re: reverse proxy identification"
• In reply to: DokFLeed: "Magic Quotes question"
• Next in thread: Justin Ferguson: "Re: Magic Quotes question"
• Reply: Justin Ferguson: "Re: Magic Quotes question"
• Reply: DokFLeed: "Re: Magic Quotes question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Jan 16, 2007, at 11:10 PM, DokFLeed wrote:
> Hi,
> I posted this earlier to webappsec@securityfocus.com with no luck ,
> does anyone know how to bypass magic quotes? a proven working way .

stripslashes(). :-)

It's fairly easy to get a developer to put stripslashes() on a
website too, if one just slowly adds posts that seem like they can be
tracked back to magic quotes... "I\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
\'m having problems...."

This is why magic quotes/slashes was getting turned off all over the
place..... excessive escaping before db inserts, as variable values
were passed from page to page.

Well, that, and the escaping wasn't data-engine specific. Some data
engines use \', others use '', others need no ' escaping, and since
many modern db engines can use *any* delimiter, for any language,
"magic quotes" was simply the wrong level to apply data filtering at.

> example is, in such a simple SQL like
> "SELECT * from USERS WHERE id =$id";
> I am looking for ways to by pass magic quotes to inject this
> INTO OUTFILE '/home/z.php'

INTO OUTFILE %/home/z.php% works, if "%" is the field delimiting
character being used. Magic quotes totally fails in that scenario.

> point is, if magic quotes can stop this, so why is it going to be
> removed in php6? it can simply stay and be activated or deactivated
> on will.

It was a great idea, in a much less complex world.

> and if there is a way to by pass, I want to include it in my check
> GET/POST inputs.

Any character can be used, by many db engines, as a delimiter. It is
bad programming practice to assume that *any* bulk filtering
mechanism will work, so your GET/POST idea is flawed.

The problem is not magic quotes.
The problem is not replacing magic quotes.

The problem *is* validating each piece of data received, and dealing
with it in an appropriate manner, regardless of the db engine used,
charset used, delimiters used.

-Ronabop

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Marco Ramilli: "Re: Automated Nmap Scans / Front End"
• Previous message: Javier Fernández-Sanguino: "Re: reverse proxy identification"
• In reply to: DokFLeed: "Magic Quotes question"
• Next in thread: Justin Ferguson: "Re: Magic Quotes question"
• Reply: Justin Ferguson: "Re: Magic Quotes question"
• Reply: DokFLeed: "Re: Magic Quotes question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:32 EDT