| From: | knut(dot)suebert(at)web(dot)de |
|---|---|
| To: | PGSQL <pgsql-php(at)postgresql(dot)org> |
| Subject: | SQL-injection attack? (Re: Help with urlencode and rawurlencode) |
| Date: | 2002-10-16 19:42:46 |
| Message-ID: | 20021016194246.GB833@fraxinus.reticulum |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-php |
Justin Clift schrieb:
> "Duncan Adams (DNS)" wrote:
> <snip>
> > ......host_table.hostname ilike \'%omc%\' order by....
> > on the next page.
>
> It sounds like you have the PHP variable "magic_quotes_gpc" set On in
> your "php.ini" configuration file. If you turn this off (can't remember
> if it's possible with a function) then it will probably fix your
> problem.
Had the same problem here a few minutes ago. If you don't want to turn
off magic_quotes_gpc globally (for most things it is very useful,
IMHO), try "stripslashes()" for problematic strings.
I'm not sure, but stripping slashes could offer a possibility of
inserting "SQL-injection" attacks. Think about "'; delete from table
xyz; select '" typed into a search field. More complicated queries to
get the table names of a db could be possible. Maybe it helps, if
queries containing a ";" are rejected.
Knut Sübert
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Shane Wright | 2002-10-20 13:37:07 | building on OS X |
| Previous Message | Stian Riis | 2002-10-16 08:11:22 | LISTEN/NOTIFY |