On 8/15/07, Anthony Wlodarski <[EMAIL PROTECTED]> wrote: > > So I was doing some reading on magic quotes and wrote a simple check to see > if it is on or not. On our box magic quotes are disabled (which is the way > I would prefer it, I would rather manually add my own slashes to sequences > that need it) but my shared hosting has magic quotes enabled. Now I know > the admin of the shared hosting is not going to turn off magic quotes > because not everyone that uses the services are diligent programmers.
See http://us3.php.net/manual/en/security.magicquotes.disabling.php -- you can either disable it in an .htaccess file at the web root, or you can use get_magic_quotes_gpc() to check for it and, if on, apply stripslashes() to input values. The standard mysql_x() functions do not allow multiple queries, so you're not so worried about someone injecting drop table statements. Nevertheless, plenty of damage and/or disclosure can be performed with just a single query. The UN website was recently compromised due to SQL injection, by the way, very embarassing for them. -- Chris Snyder http://chxo.com/ _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
