Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:57864 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 80061 invoked from network); 14 Feb 2012 13:24:23 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 14 Feb 2012 13:24:23 -0000 Authentication-Results: pb1.pair.com header.from=kousuke@co3k.org; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=kousuke@co3k.org; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain co3k.org from 209.85.210.170 cause and error) X-PHP-List-Original-Sender: kousuke@co3k.org X-Host-Fingerprint: 209.85.210.170 mail-iy0-f170.google.com Received: from [209.85.210.170] ([209.85.210.170:58622] helo=mail-iy0-f170.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id F0/81-06943-5806A3F4 for ; Tue, 14 Feb 2012 08:24:22 -0500 Received: by iakk32 with SMTP id k32so10949185iak.29 for ; Tue, 14 Feb 2012 05:24:19 -0800 (PST) Received: by 10.42.151.195 with SMTP id f3mr27491228icw.19.1329225858911; Tue, 14 Feb 2012 05:24:18 -0800 (PST) Received: from ebiten.local (203.143.101.162.static.zoot.jp. [203.143.101.162]) by mx.google.com with ESMTPS id gw1sm19751002igb.0.2012.02.14.05.24.17 (version=SSLv3 cipher=OTHER); Tue, 14 Feb 2012 05:24:18 -0800 (PST) Message-ID: <4F3A607F.90904@co3k.org> Date: Tue, 14 Feb 2012 22:24:15 +0900 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0a2) Gecko/20120126 Thunderbird/11.0a2 MIME-Version: 1.0 To: internals@lists.php.net References: <4F3A5B70.3020707@co3k.org> <4F3A5C9B.5060808@thelounge.net> In-Reply-To: <4F3A5C9B.5060808@thelounge.net> X-Enigmail-Version: 1.4a1pre Content-Type: text/plain; charset=ISO-2022-JP Content-Transfer-Encoding: 7bit X-Gm-Message-State: ALoCoQkmLMq5PS++wIIECdKWelbB36CYq+pNkzu1alglY767rH8RGN7yrWtIvAFQN3HLkXaV/sbv Subject: Re: [PHP-DEV] About CVE-2012-0831 (magic_quotes_gpc remote disable vulnerability?) From: kousuke@co3k.org (Kousuke Ebihara) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 (12/02/14 22:07), Reindl Harald wrote: > who in the world has magic_quotes on and does rely on any > addslashes() or magic_quotes thinking this makes any query > safe against sql-injection? > > without mysql_real_escape() you are completly unprotected > in every case and magic_quotes was one of the badest > things ever implemented > Of course I agree with you. (And, basically, we should use prepared statement but it is not main topic...) - -- Kousuke Ebihara http://co3k.org/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJPOmB/AAoJECNvap7T8JfFBNkH/0DWPJMZoCkCSZVTs8NH4cYZ PGedQlyXX8eEEdbZwgdVYcrOXEXq9Gh6S875oWwjacC2FGNtdDs+1y1tBU7wlvkF SOnecZFdzis0Fp5vauAF/9lGJ4MmFa3CmLOrI0OeSJoGLSD3pcYtAZQff1HjyEej BAYwxgMvhmsifnMMSJ6bVbQH7VLjgfm8uxXxdNJfMze5zYExnr5Otn3ku08Crv/e vAi94krJU5WgtKwdshAV+JXPvWxKoK4+/ooIDXT9Uvv4p/6q79H3++5lh7nHcGAw GijWuTIPOlSVTvAOenlcitj/CfQjcNp+9GS9a1XsDkXZL0+cyzRZYQpvwKpwF5A= =0laO -----END PGP SIGNATURE-----