Hi, > 1. In PHP 5.3.10 and before, magic_quotes_gpc is disabled even if it is > enabled in php.ini.
No the vulnerability allows attackers to disable activated magic_quotes_gpc with a remote exploit. > 2. If my PHP scripts don't depend on magic quote feature, in this case, I > don't need to apply the patch. Applications like SugarCRM also do not depend on magic_quotes_gpc. However SugarCRM before 6.4.0 contains an SQL injection vulnerability that is not exploitable in case magic_quotes_gpc is activated. > But I think it is totally mistakes. I think it is evaluated as "SQL Injection > attack vulnerability in *PHP*", but it is not correct. magic_quotes_gpc is > just a fail-safe (but of course it is tattered) and a script which depends on > magic_quotes_gpc is intrinsically vulnerable. While magic_quotes_gpc is for sure not the best solution possible, it is simply not true that scripts relying on magic_quotes_gpc for SQL escaping are insecure. These scripts are simply not portable (when it comes to moving the SQL to a different database software or moving to some multi-byte character sets). There is a lot of old code on the internet that relies on magic_quotes_gpc and it uses utf8 or iso character set and is NOT vulnerable. Of course using mysql_real_escape_string() and prepared statements are more secure, but they are not always required to be secure. Regards, Stefan Esser PS: and all that old code will be vulnerable once the server admin updates to PHP 5.4 -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
