0

Possible Duplicates:
Are single quotes escaped automatically in PHP? Then what's the need for cleaning?
Successful SQL Injection despite PHP Magic Quotes

Earlier today I asked about automatic escaping of quotes and learned about magic quotes. The thread is located at Are single quotes escaped automatically in PHP? Then what's the need for cleaning?.

We came to the consensus that magic quotes is not enough and that we should always validate and clean user input as well as using prepared queries.

However, this lead to this question, on a magic quote enabled server what kind of sql injections would bypass the security measures imposed by magic quotes? Why is magic quotes not secure?

To convince me that magic quotes is not secure I would like to see a real world example of an injection that would bypass these measures. I have build a test set up on my local server with the code:

$foo = $_POST['foo'];
$sql = "SELECT * FROM bar WHERE foo='".$foo."'";
$result = query($sql);

where query() is the usual code needed to execute a query. No cleaning what so ever. However, magic quote is enabled.

Any examples of injections that would bypass magic quotes on this set up?

Cheers,

Erik

Community
  • 1
  • 1
Erik
  • 2,276
  • 1
  • 20
  • 20
  • spamming duplicate isn't good nono – dynamic Jun 15 '11 at 14:16
  • I'm not spamming its a extension of my original question... – Erik Jun 15 '11 at 14:17
  • I agree its a duplicate, but it sounds like he wants to actually see code that would bypass. Last time he was just asking about magic quotes. – Nix Jun 15 '11 at 14:22
  • I admit it does seem a bit like a duplicate but you're absolutely right nix. I keep getting told that it's bad and that it works etc but no one is providing me code that does bypass the set up that I'm presenting. I've tried with sending multi-byte input. i.e. I've set $_POST['foo'] = "0x27204f5220313d312023" but the database doesnt seem to convert this to a string so it still doesnt execute... – Erik Jun 15 '11 at 14:43

1 Answers1

0

The issue is that magic quotes uses PHP's addslashes() function which is not unicode aware (which means multi-byte characters are not escaped).

This should be all of the convincing you need.

tplaner
  • 8,363
  • 3
  • 31
  • 47
  • Could you provide an example? Like I said in the above comment I've tried $_POST['foo'] = "0x27204f5220313d312023" but it doesn't seem to convert it to a string and still just reads it as 0x27204f5220313d312023 when querying.. am i missing something? – Erik Jun 15 '11 at 14:45