All geek questions in one place

PHP vulnerability magic_quotes_gpc

I was assigned to one of my web applications owned by my company, and after a day or two of you bought the source, I found an SQL injection vector similar to the following:

mysql_query("SELECT * FROM foo WHERE bar='" . $_GET['baz'] . "'");

I tried to run a SQL injection test against this, but it fails due to the inclusion of the magic_quotes_gpc PHP module.

I know magic_quotes_gpc dirty, but we have hundreds, if not thousands, of lines of code like the one above. We simply cannot afford to disable magic_quotes_gpc , as this will cause the code to be widely opened for attack.

I would like to know how the β€œexploited” code is above, and whether it needs to be fixed immediately, or to include the task of fixing it in our other refactoring tasks.

+4
source share
3 answers

The usual way to navigate sites with magic_quotes_gpc is to add a wrapper function:

 function m($s) { if (get_magic_quotes_gpc()) $s= stripslashes($s); return mysql_real_escape_string($s); } mysql_query("SELECT * FROM foo WHERE bar='".m($_GET['baz'])."'");

This will fix the addslashes problem, which is not supportive, which could lead to its vulnerability in some cases and, as a rule, will cause the code to continue to work as before.

However, in the long run, relying on input-escaping is unstable because it will multiply slashes by input strings that you do not insert into the database, and cannot escape the lines that you insert into the database from other sources. This is the real reason magic_quotes_gpc is wrong: it applies the encoding of the output stage to the input frame.

So, add a wrapper function and then slowly update all SQL interpolations to use it. When you have everything, you can turn off magic quotes.

+8
source

As long as the magic quotes, and you do not use some special character encodings that could slip things through it, you should be fine - so to speak. The problem is when for some reason the magic quotes are not active (server change, configuration change), you will have many holes to fix.

0
source

I would add a line at the beginning that allows you to enable magic_quotes, also if they are disabled in the server configuration. Then you will be more or less safe.

-2
source

Source: https://habr.com/ru/post/1299240/

More articles:


All Articles