sql injection - PHP magic_quotes_gpc vulnerability -
I have been assigned one of my company's legacy webpage, and after a day or two around the source, I have found a SQL injection vector similar to the following:
mysql_query ("SELECT * FROM WHERE bar = '". $ _GET [' baz ']. "'"); I have tried to do a SQL injection test against it, but it fails because of the PHP magic_quotes_gpc
module being turned on. I know magic_quotes_gpc
is dirty , but we have hundreds - if not thousands - the lines of the same code above the code Can not afford to close magic_quotes_gpc
, because this code will open like an attack to attack.
I want to know that the code above is 'ShÅogi', and should we immediately fix it or should work to fix it with our other defactor functions.
magic_quotes_gpc
is the common way to add wrapper function to sites:
function m ($ s) {if (get_magic_quotes_gpc ()) $ S = strip slash ($ s); Return mysql_real_escape_string ($ s); } Mysql_query ("SELECT * FROM Foo WHERE bar = '" ($ _ GET [' Falcon ']). "'");
This will fix the problem of not being character-defined-aware addslashes
which in some cases may make it vulnerable, and will usually continue the code before To 'work' as to.
However, depending on input-avoidance, it is unbearable in long term, because it will multiply the slip in the input string, you are not entering the database, then it is the real reason to put it in the database from other sources again Magic_quotes_gpc
is the wrong thing: it is implementing output-stage encoding on the input stage.
Add the wrapper function and then gradually go through all the updates. To use it, you can turn off the magic quotes when you find them in SQL Interpolations.
Comments
Post a Comment