SQL-injection attack? (Re: Help with urlencode and rawurlencode) - Mailing list pgsql-php

From knut.suebert@web.de
Subject SQL-injection attack? (Re: Help with urlencode and rawurlencode)
Date
Msg-id 20021016194246.GB833@fraxinus.reticulum
Whole thread Raw
In response to Re: Help with urlencode and rawurlencode  (Justin Clift <justin@postgresql.org>)
List pgsql-php
Justin Clift schrieb:
> "Duncan Adams (DNS)" wrote:
> <snip>
> > ......host_table.hostname ilike \'%omc%\' order by....
> > on the next page.
>
> It sounds like you have the PHP variable "magic_quotes_gpc" set On in
> your "php.ini" configuration file.  If you turn this off (can't remember
> if it's possible with a function) then it will probably fix your
> problem.

Had the same problem here a few minutes ago. If you don't want to turn
off magic_quotes_gpc globally (for most things it is very useful,
IMHO), try "stripslashes()" for problematic strings.

I'm not sure, but stripping slashes could offer a possibility of
inserting "SQL-injection" attacks. Think about "'; delete from table
xyz; select '" typed into a search field. More complicated queries to
get the table names of a db could be possible. Maybe it helps, if
queries containing a ";" are rejected.

Knut Sübert

pgsql-php by date:

Previous
From: "Stian Riis"
Date:
Subject: LISTEN/NOTIFY
Next
From: Shane Wright
Date:
Subject: building on OS X