ID: 40113 Updated by: [EMAIL PROTECTED] Reported By: romik at aha dot ru -Status: Open +Status: Assigned Bug Type: Documentation problem PHP Version: Irrelevant Assigned To: colder New Comment:
Etienne: isn't this fixed already? Previous Comments: ------------------------------------------------------------------------ [2007-01-16 13:18:30] romik at aha dot ru Yes, my bad. It does not allow second order injection. I beg my pardon - I messed up use of magic_quotes_gpc(). So the only problem is one you mentioned - calling stripslashes then var is not comming from GPC. The main point I meant is better to separate dealing with magic quotes and with SQL data. You need to strip slashes right after data passed to script - not then it come to SQL. Often pitfail - multiplying slashes in cookies. ------------------------------------------------------------------------ [2007-01-16 12:44:50] [EMAIL PROTECTED] The only thing about that quote_smart() function that is not really good is that it will call stripslashes() on every vars if magic_quotes_gpc is on, even if the var is not comming from GPC. I'll change this example. ------------------------------------------------------------------------ [2007-01-16 10:38:34] [EMAIL PROTECTED] This function will ensure that everything passed to it will be returned either as 1) a quoted string whit escaped chars inside. 2) a numeric string without quotes around. It also takes care about magic_quotes_gpc being on/off. I fail to see how your "best practice section" proposition is better. I also fail to see how "second-order" injections are doable when using such function. ------------------------------------------------------------------------ [2007-01-12 21:01:53] romik at aha dot ru Description: ------------ There is an example function quote_smart() in the mysql_real_escape_string() documentation, Example 3. It demonstrates awfully wrong way on escaping! And allows second-order SQL injection (when data coming not from input but from database). I believe, this example should be removed from documentation. The best practice section should be like this : "If you want to handle quotes in the right way, you have to get rid of magic quotes first. By configuration or by function included into each script. And then quote all data manually, using mysql_real_escape_string()" or something like that. But there also a lot of pitfails and remarks. Actually, I've got a whole article named "complete quotes guide" but it written in russian and I'm not sure my english is good enough to translate . ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=40113&edit=1
