On Tue, May 31, 2011 at 11:44 AM, Tom Samplonius <t...@samplonius.org> wrote:
> > > > The PHP Wikipedia page is wrong about this too, and states that > > > addslashes() can be used instead of magic quotes. addslashes() > > > should probably be deprecated too (and it isn't Unicode aware > > > either, so removing it solves two problems). > > > > magic_quotes did the same thing than manually addslashing every > > argument AFAIK, so I can't see why you say they couldn't be used > > interchangeably. > > the problem with magic was the magic part, addslashes is a valid > > feature on its own. > > It is not that magic_quotes and addslashes() can't be used > interchangeably, it is that addslashes() shouldn't be used either. > addslashes() isn't aware of other characters sets, so it won't add slashes > to everything it should. It works fine for ASCII, but will probably open up > a security hole when used on UTF8 strings. Even the addslashes() manual > page, highly recommends you don't use addslashes(). > > http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string fortunately there aren't many cases, when this can be turned into a successful attack, but this can be exploited. unfortunately many people doesn't aware of this, but mysql_real_escape_string can be vulnerable also, if you doesn't use the mysql_set_charset method but the mysql_query('SET NAMES ...'); > Ideally, addslashes() should be added to the deprecation list too. It > will have to be removed (or somehow fixed) as part of "Full Unicode" support > anyways. > agree > > That is why I think the deprecation of features for PHP6 was more > important than Unicode. It makes PHP6 secure (well, more secure) by > default. > > it will abolish the false sense of security, but I think we will think many cases, where hosting providers upgrade without proper testing, and a whole bunch of php application will be vulnerable without features like magic_quotes or safe_mode but I hope that I will be proven wrong, and I think that we waited long enough already. Tyrael
