Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:23801 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 28064 invoked by uid 1010); 31 May 2006 00:49:32 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 28049 invoked from network); 31 May 2006 00:49:32 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 May 2006 00:49:32 -0000 X-PHP-List-Original-Sender: chris.kings-lynne@calorieking.com X-Host-Fingerprint: 203.59.102.239 iihouston.familyhealth.com.au FreeBSD 4.6-4.9 Received: from ([203.59.102.239:1217] helo=houston.familyhealth.com.au) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id 63/02-07504-918EC744 for ; Tue, 30 May 2006 20:49:29 -0400 Received: from houston.familyhealth.com.au (localhost [127.0.0.1]) by houston.familyhealth.com.au (Postfix) with ESMTP id 240712573C; Wed, 31 May 2006 08:49:24 +0800 (WST) Received: from [127.0.0.1] (work-48.internal [192.168.0.48]) by houston.familyhealth.com.au (Postfix) with ESMTP id 5196025738; Wed, 31 May 2006 08:49:21 +0800 (WST) Message-ID: <447CE8DA.2060506@calorieking.com> Date: Wed, 31 May 2006 08:52:42 +0800 User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Christopher Kings-Lynne Cc: internals@lists.php.net References: <138663365.20060514205903@marcus-boerger.de> <038d01c676f8$ab9b3380$6602a8c0@foxbox> <44685D24.2000801@php.net> <1147708994.14148.23.camel@notebook.local> <16710545416.20060515202714@marcus-boerger.de> <1147721541.14148.47.camel@notebook.local> <4468DB43.1020005@emini.dk> <7.0.1.0.2.20060515194051.02b32ef8@zend.com> <1148496966.19173.79.camel@notebook.local> <454303585.20060524213714@marcus-boerger.de> <44765279.8000601@akbkhome.com> <7.0.1.0.2.20060526040633.086814a0@zend.com> <4476608C.6070503@akbkhome.com> <7.0.1.0.2.20060526050422.08680c20@zend.com> <1376291629.20060526040801@marcus-boerger.de> <7.0.1.0.2.20060526120130.03c51060@zend.com> <4476C5C1.9080704@calorieking.com> <447A8E91.2030600@familyhealth.com.au> In-Reply-To: <447A8E91.2030600@familyhealth.com.au> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-familyhealth-MailScanner-Information: Please contact the ISP for more information X-familyhealth-MailScanner: Found to be clean X-familyhealth-MailScanner-From: chris.kings-lynne@calorieking.com Subject: Re: [PHP-DEV] Recent PostgreSQL serious security hole From: chris.kings-lynne@calorieking.com (Christopher Kings-Lynne) Here's a question. The docs for mysql_real_escape_string claim that it checks the magic_quotes_gpc setting and will stripslashes() automatically. However, I see nothing in the code that indicates this. Is it a documentation error? Chris Christopher Kings-Lynne wrote: > As a follow up I've attached my initial patch for this. Can people > please review? > > Chris > > Christopher Kings-Lynne wrote: >> Hi, >> >> I'm starting on a pg_real_escape_string and pg_real_escape_bytea >> function for PostgreSQL, based on this security release: >> >> http://www.postgresql.org/docs/techdocs.49 >> >> Is anyone else working on it, or is it fine that I do it? I'll let >> you know if it's going to take me too long. >> >> Basically the new functions are analagous to the >> mysql_real_escape_string function. The difference will be that the >> pgsql function will have the optional DB connection resource as the >> first parameter rather than the second. (Same as other pgsql functions) >> >> Any comments? >> >> There may be cause to backport these functions ... although the >> existing pg_escape_string function is safe in a single threaded >> context. That's your guys call. >> >> Chris >> -- Christopher Kings-Lynne Technical Manager CalorieKing Tel: +618.9389.8777 Fax: +618.9389.8444 chris.kings-lynne@calorieking.com www.calorieking.com