15

I have always read that Magic Quotes do not stop SQL Injections at all but I am not able to understand why not! As an example, let's say we have the following query:

SELECT * FROM tablename
  WHERE email='$x';

Now, if the user input makes $x=' OR 1=1 --, the query would be:

SELECT * FROM tablename
  WHERE email='\' OR 1=1 --';

The backslash will be added by Magic Quotes with no damage done whatsoever!

Is there a way that I am not seeing where the user can bypass the Magic Quote insertions here?

KJ Saxena
  • 21,452
  • 24
  • 81
  • 109

1 Answers1

22

The trick is usually to pass a binary value so that the backslash would become a part of valid multibyte character. Here is a blog post about it.

newtover
  • 31,286
  • 11
  • 84
  • 89
  • I always had the impression that SQL injection was a more serious issue possibly affecting almost all newbie attempts at a script. I still can't believe that magic quotes make you absolutely safe unless you have used a multi-byte charset. – KJ Saxena Apr 18 '11 at 13:55