With magic_quotes_gpc or addslashes it's harder to do injection attacks but it's still possible. http://shiflett.org/archive/184 demonstrates an attack using php and mysql with multi-byte characters.
I think the more likely attack is actually due to how annoying magic_quotes is. You have to remove it to do any work, then you have to remember to put it back on because you aren't escaping your sql. A final point is that it looks like magic_quotes will be removed from PHP6. David Reinhart Viane wrote: > After some comments on my code I went on a 'fieldtrip' to learn about sql > injection... > > Now after testing some examples with single and double quotes and mysql > comment (--) I haven't find any way to insert edit or delete any data in the > database. > The loginscript is rather simple: > > $query="SELECT FROM persons WHERE login='$login' AND password='$password'"; > $result=mysql_query($query) or die(mysql_error()); > > The form has action POST. > Now magic_quotes_gpc escapes every quote I insert. > > Does this mean with magic_quotes_gpc on I am secured enough concerning > mysql-injection through forms? > > Thx > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
