Folks,
This questions is directed towards PHP/MySQL folk and relates to escaping
hooks, apostraphe's and other characters that can create a security hole
when writing to databases/files. I've been reading
http://ca2.php.net/manual/en/functio...quotes-gpc.php and just need
to confirm a couple of things:
If I have magic_quotes_gpc on, and I use addslashes() - Does this in effect
cause me to take security one step forward, and then back again? I mean, if
magic_quotes_gpc is on, it will escape all my data before writing it to the
database - But if I also use addslashes() will it not escape the escapes put
in by magic_quotes_gpc?
When I perform a SELECT at the moment, the data that contains special
characters is being returned with a backslash... This is wrong, correct?
Because a properly escaped character should be stored without the backslash,
true? Thus this means my quotes, or double quotes should be stored in my
table, and the quotes should not be preceeded by the backslash character as
part of the returned string from my SELECT.
How can I test that I am storing my data properly? (Thus, how can I perform
a friendly attack on my database through my client HTML forms). I've tried
`/bin/ls -l > /tmp/rd1` but this does not create a temp file in my temp
directory - Thus, does this mean I have myself secure against this sort of
common hack attack?
All help, via the newsgroup, is much appreciated,
Thanks
Randell D.