Leif K-Brooks wrote: > Peter Ammon wrote: >> I'm bewildered why you haven't mentioned magic quotes. A one line >> change to the configuration file can render your PHP site almost >> entirely immune to SQL injection attacks. > > PHP's magic quotes is one of the most poorly-designed features I can > think of. Instead of magically escaping only strings which will actually > be passed to a database (like Python's DB-API does), it escapes every > string that comes from the user, meaning that strings which will be sent > back to the user have to be manually unescaped.
Yup, I recently downloaded a script that required grc_magic_quotes (IIRC the name) to be *off* I looked it up, and one has to do such a thing in the ini (!!!) file. > Even worse, since it can be turned on and off, code which is designed > for a magic_quotes=on environment will become seriously vulnerable when > moved to an environment with magic_quotes on. Security-related features > should never be toggleable! Amen. And quite some people who nowadays install PHP scripts are the same ones who reply to questions like "My messenger program doesn't work" with "Did you disable the firewall?". -- John MexIT: http://johnbokma.com/mexit/ personal page: http://johnbokma.com/ Experienced programmer available: http://castleamber.com/ Happy Customers: http://castleamber.com/testimonials.html -- http://mail.python.org/mailman/listinfo/python-list
