Am 14.02.2012 14:02, schrieb Kousuke Ebihara: > Hi, > > I've noticed the following CVE: > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0831 > >> PHP before 5.3.10 does not properly perform a temporary change to the >> magic_quotes_gpc directive during the importing of environment variables, >> which makes it easier for remote attackers to conduct SQL injection attacks >> via a crafted request, related to main/php_variables.c, sapi/cgi/cgi_main.c, >> and sapi/fpm/fpm/fpm_main.c.
who in the world has magic_quotes on and does rely on any addslashes() or magic_quotes thinking this makes any query safe against sql-injection? without mysql_real_escape() you are completly unprotected in every case and magic_quotes was one of the badest things ever implemented
signature.asc
Description: OpenPGP digital signature
