Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Successful SQL Injection despite PHP Magic Quotes

I have always read that Magic Quotes do not stop SQL Injections at all but I am not able to understand why not! As an example, let's say we have the following query:

SELECT * FROM tablename
  WHERE email='$x';

Now, if the user input makes $x=' OR 1=1 --, the query would be:

SELECT * FROM tablename
  WHERE email='\' OR 1=1 --';

The backslash will be added by Magic Quotes with no damage done whatsoever!

Is there a way that I am not seeing where the user can bypass the Magic Quote insertions here?

like image 453
KJ Saxena Avatar asked Apr 29 '10 08:04

KJ Saxena


People also ask

Does PHP prevent SQL injection?

Another approach for avoiding SQL injections is using PHP Prepared Statements. A prepared statement is a feature in PHP which enables users to execute similar SQL queries efficiently and repeatedly.

What is magic quote in PHP?

Magic quotes was a feature of the PHP scripting language, wherein strings are automatically escaped—special characters are prefixed with a backslash—before being passed on. It was introduced to help newcomers write functioning SQL commands without requiring manual escaping.

Which SQL injection attack is the easiest to perform?

In-band SQLi (Classic SQLi) In-band SQL Injection is the most common and easy-to-exploit of SQL Injection attacks. In-band SQL Injection occurs when an attacker is able to use the same communication channel to both launch the attack and gather results.

What is SQL injection in PHP with example?

What is PHP SQL Injection? When an attacker exploits a PHP application via an SQL Injection, they can gain access to the application's database and make the application execute unauthorized injected SQL commands to control the behavior of the application.


1 Answers

The trick is usually to pass a binary value so that the backslash would become a part of valid multibyte character. Here is a blog post about it.

like image 58
newtover Avatar answered Sep 27 '22 23:09

newtover