SQL Injection when magic quote is enabled [duplicate]
Possible Duplicates:
Are single quotes escaped automatically in PHP? Then what's the need for cleaning? Successful SQL Injection despite PHP Magic Quotes
Earlier today I asked about automatic escaping of quotes and learned about magic quotes. The thread is located at Are single quotes escaped automatically in PHP? Then what's the need for cleaning?.
We came to the consensus that magic quotes is not enough and that we should always validate and clean user input as well as using prepared queries.
However, this lead to this question, on a magic quote enabled server what kind of sql injections would bypass the security measures imposed by magic quotes? Why is magic quotes not secure?
To convince me that magic quotes is not secure I would like to see a real开发者_Go百科 world example of an injection that would bypass these measures. I have build a test set up on my local server with the code:
$foo = $_POST['foo'];
$sql = "SELECT * FROM bar WHERE foo='".$foo."'";
$result = query($sql);
where query() is the usual code needed to execute a query. No cleaning what so ever. However, magic quote is enabled.
Any examples of injections that would bypass magic quotes on this set up?
Cheers,
Erik
The issue is that magic quotes uses PHP's addslashes()
function which is not unicode aware (which means multi-byte characters are not escaped).
This should be all of the convincing you need.
精彩评论