|
Web Application Security
Google code search Oct 05 2006 06:08AM Stephen de Vries (stephen corsaire com) (3 replies) Magic Quotes Oct 06 2006 11:00AM DokFLeed (dokfleed dokfleed net) (2 replies) Re: Magic Quotes Oct 10 2006 11:11PM Steve Slater (slater handsonsecurity com) (1 replies) |
|
|
Privacy Statement |
The Santy worm used a simple double-encoded single tick to bypass Magic Quotes. The real problem was the code: it then urldecoded the single-encoded tick at that point, but framework tricks like Magic Quotes are not the "end-all be-all" defense by any means. In fact, Magic Quotes was built out ofpure functionality and not security according to an interview with Lerdoff (sp?) I had found.
-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Tomek Perlak
Sent: Tuesday, October 10, 2006 6:20 AM
To: webappsec (at) securityfocus (dot) com [email concealed]
Subject: Re: Magic Quotes
DokFLeed wrote:
> (..)
>
> if there is noway around Magic Quotes, then why is every developer
> against it ?
> Dok
>
I guess it's because it adds a layer of complexity to your code?
Some servers have MQs on, some don't (and you might not have any control over that), so you have to code for two cases.
Also, if data sanitation is being done using other functions (such as mysql_real_escape_string if you happen to use mysql), the MQs feature is a nuisance to deal with, to say the least.
// tp;
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
------------------------------------------------------------------------
--
--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006
------------------------------------------------------------------------
-
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download a Free Trial of AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
------------------------------------------------------------------------
--
[ reply ]