[ale] Well, this does nothing for the reputation of Linux

Michael B. Trausch mbt at naunetcorp.com
Mon Jul 22 10:20:21 EDT 2013


On 07/22/2013 09:57 AM, Andy Borgmann wrote:
> Also, isn't SQL injection pretty much fixed with Magic Quotes?  I had
> a security guy from GA Tech test my site once and was unable to SQL
> inject attack the site.  I thought this was largely due to the fact
> that any $_POST to the site is automatically escaped via Magic Quotes.

Any code which relies on Magic Quotes is insecure when run with Magic
Quotes disabled.  That functionality was removed because of the false
sense of security that people derived from it.  No quoting rules are
applicable for all systems.  A professional PHP programmer knows this
fact, and will not rely on MQ behavior.  Some PHP applications even
refuse the run with the setting enabled, as it can introduce security
flaws in their own system which performs correct escaping for all of the
points it interacts with.

They've been talking about removing MQ for years, and the best practice
was to keep it disabled and properly handle your escaping and
de-escaping yourself.  This works for professional PHP programmers,
because professional PHP programmers already take responsibility for
input sanitization and validation of their data, either manually or by
using a base class or request processor class or some other method.

Have fun rewriting your code for PHP 5.4 and later releases, by the way.

    --- Mike

-- 
Naunet Corporation Logo 	Michael B. Trausch

President, *Naunet Corporation*
? (678) 287-0693 x130 or (888) 494-5810 x130

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/cdc5fb7a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ehfegffh.png
Type: image/png
Size: 1701 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/cdc5fb7a/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <http://mail.ale.org/pipermail/ale/attachments/20130722/cdc5fb7a/attachment.sig>


More information about the Ale mailing list