Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:23802 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32014 invoked by uid 1010); 31 May 2006 00:54:11 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 31999 invoked from network); 31 May 2006 00:54:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 May 2006 00:54:11 -0000 X-PHP-List-Original-Sender: jasper@album.co.nz X-Host-Fingerprint: 210.55.31.88 mail.album.co.nz Linux 2.5 (sometimes 2.4) (4) Received: from ([210.55.31.88:55066] helo=mail.album.co.nz) by pb1.pair.com (ecelerity 2.0 beta r(6323M)) with SMTP id A2/C2-07504-F29EC744 for ; Tue, 30 May 2006 20:54:08 -0400 Received: from mail.album.co.nz (www.album.co.nz [127.0.0.1]) by mail.album.co.nz (Postfix) with ESMTP id EB86954BC8; Wed, 31 May 2006 12:54:01 +1200 (NZST) X-Spam-Checker-Version: SpamAssassin 3.1.1-gr0 (2006-03-10) on www.album.co.nz X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=none autolearn=unavailable version=3.1.1-gr0 Received: from [192.168.0.9] (222-152-179-182.jetstream.xtra.co.nz [222.152.179.182]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.album.co.nz (Postfix) with ESMTP id 3D8D23AA4B; Wed, 31 May 2006 12:54:01 +1200 (NZST) Message-ID: <447CE926.4070603@album.co.nz> Date: Wed, 31 May 2006 12:53:58 +1200 Organization: Album Limited User-Agent: Thunderbird 1.5.0.2 (Windows/20060308) MIME-Version: 1.0 To: Christopher Kings-Lynne CC: Christopher Kings-Lynne , internals@lists.php.net References: <138663365.20060514205903@marcus-boerger.de> <038d01c676f8$ab9b3380$6602a8c0@foxbox> <44685D24.2000801@php.net> <1147708994.14148.23.camel@notebook.local> <16710545416.20060515202714@marcus-boerger.de> <1147721541.14148.47.camel@notebook.local> <4468DB43.1020005@emini.dk> <7.0.1.0.2.20060515194051.02b32ef8@zend.com> <1148496966.19173.79.camel@notebook.local> <454303585.20060524213714@marcus-boerger.de> <44765279.8000601@akbkhome.com> <7.0.1.0.2.20060526040633.086814a0@zend.com> <4476608C.6070503@akbkhome.com> <7.0.1.0.2.20060526050422.08680c20@zend.com> <1376291629.20060526040801@marcus-boerger.de> <7.0.1.0.2.20060526120130.03c51060@zend.com> <4476C5C1.9080704@calorieking.com> <447A8E91.2030600@familyhealth.com.au> <447CE8DA.2060506@calorieking.com> In-Reply-To: <447CE8DA.2060506@calorieking.com> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [PHP-DEV] Recent PostgreSQL serious security hole From: jasper@album.co.nz (Jasper Bryant-Greene) -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Read the docs again. They do not claim that. I quote: "Note: If magic_quotes_gpc is enabled, first apply stripslashes() to the data. Using this function on data which has already been escaped will escape the data twice." -- http://php.net/mysql_real_escape_string Jasper Christopher Kings-Lynne wrote: > Here's a question. The docs for mysql_real_escape_string claim that it > checks the magic_quotes_gpc setting and will stripslashes() > automatically. However, I see nothing in the code that indicates this. > Is it a documentation error? > > Chris > > > Christopher Kings-Lynne wrote: >> As a follow up I've attached my initial patch for this. Can people >> please review? >> >> Chris >> >> Christopher Kings-Lynne wrote: >>> Hi, >>> >>> I'm starting on a pg_real_escape_string and pg_real_escape_bytea >>> function for PostgreSQL, based on this security release: >>> >>> http://www.postgresql.org/docs/techdocs.49 >>> >>> Is anyone else working on it, or is it fine that I do it? I'll let >>> you know if it's going to take me too long. >>> >>> Basically the new functions are analagous to the >>> mysql_real_escape_string function. The difference will be that the >>> pgsql function will have the optional DB connection resource as the >>> first parameter rather than the second. (Same as other pgsql functions) >>> >>> Any comments? >>> >>> There may be cause to backport these functions ... although the >>> existing pg_escape_string function is safe in a single threaded >>> context. That's your guys call. >>> >>> Chris >>> > - -- Jasper Bryant-Greene General Manager Album Limited http://www.album.co.nz/ 0800 4 ALBUM jasper@album.co.nz 021 708 334 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFEfOkmFfAeHhDzT4gRA3/1AJ40jOrkZfaK+8vScrWlQw7GO3MBwwCfU0ra KiUywAybyQsqO+J9AZggX/s= =dYMR -----END PGP SIGNATURE-----