SQL-injection attack? (Re: Help with urlencode and rawurlencode)
| От | knut.suebert@web.de |
|---|---|
| Тема | SQL-injection attack? (Re: Help with urlencode and rawurlencode) |
| Дата | |
| Msg-id | 20021016194246.GB833@fraxinus.reticulum обсуждение исходный текст |
| Ответ на | Re: Help with urlencode and rawurlencode (Justin Clift <justin@postgresql.org>) |
| Список | pgsql-php |
Justin Clift schrieb: > "Duncan Adams (DNS)" wrote: > <snip> > > ......host_table.hostname ilike \'%omc%\' order by.... > > on the next page. > > It sounds like you have the PHP variable "magic_quotes_gpc" set On in > your "php.ini" configuration file. If you turn this off (can't remember > if it's possible with a function) then it will probably fix your > problem. Had the same problem here a few minutes ago. If you don't want to turn off magic_quotes_gpc globally (for most things it is very useful, IMHO), try "stripslashes()" for problematic strings. I'm not sure, but stripping slashes could offer a possibility of inserting "SQL-injection" attacks. Think about "'; delete from table xyz; select '" typed into a search field. More complicated queries to get the table names of a db could be possible. Maybe it helps, if queries containing a ";" are rejected. Knut Sübert
В списке pgsql-php по дате отправления: