<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 07/22/2013 09:57 AM, Andy Borgmann
wrote:<br>
</div>
<blockquote
cite="mid:CABGEp7qXib4u+oTLbtheb7xHj2Z1vQ5ww_S+WCA++QR==xsa7w@mail.gmail.com"
type="cite">
<div>Also, isn't SQL injection pretty much fixed with Magic
Quotes? I had a security guy from GA Tech test my site once and
was unable to SQL inject attack the site. I thought this was
largely due to the fact that any $_POST to the site is
automatically escaped via Magic Quotes.</div>
</blockquote>
<br>
Any code which relies on Magic Quotes is insecure when run with
Magic Quotes disabled. That functionality was removed because of
the false sense of security that people derived from it. No quoting
rules are applicable for all systems. A professional PHP programmer
knows this fact, and will not rely on MQ behavior. Some PHP
applications even refuse the run with the setting enabled, as it can
introduce security flaws in their own system which performs correct
escaping for all of the points it interacts with.<br>
<br>
They've been talking about removing MQ for years, and the best
practice was to keep it disabled and properly handle your escaping
and de-escaping yourself. This works for professional PHP
programmers, because professional PHP programmers already take
responsibility for input sanitization and validation of their data,
either manually or by using a base class or request processor class
or some other method.<br>
<br>
Have fun rewriting your code for PHP 5.4 and later releases, by the
way.<br>
<br>
— Mike<br>
<br>
<div class="moz-signature">-- <br>
<table border="0">
<tbody>
<tr>
<td> <img src="cid:part1.06050206.06030007@naunetcorp.com"
alt="Naunet Corporation Logo"> </td>
<td> Michael B. Trausch<br>
<br>
President, <strong>Naunet Corporation</strong><br>
☎ (678) 287-0693 x130 or (888) 494-5810 x130<br>
<br>
</td>
</tr>
</tbody>
</table>
</div>
</body>
</html>