Security safe_mode

[Graeme1972]

Hi there

 

A little confused here...  No wise cracks pls

 

* My development environment is XAMPP and my PRD is on P(l)esk.  Both have safe_mode off.

* The site has no ftp access, images may be uploaded but only after being checked and verified.

* A php file that is already on the server uses the php "exec" command to perform an "ls *gif" over certain directories to get a list of images to display.

 

1) In the XAMPP env if I search from a site page and the term incl. a double quote (") then it is escaped with a \.  In the PRD env it does not escape any strings. 

...just checked and think this is "magic_quotes_gpc = On" in the php.ini. 

Is that correct and how important is this?

 

2) How am I at risk if safe_mode is off and my $_POST variables are not sprintf'd?

So you know I have tried various combinations of php and mysql injection but they seem to have any adverse effect.  For example a search term like "; echo 1; is entered but no 1 is echoed.  Obviously I'm a terrible hacker.

Is it a good idea to sprintf loop though all $_POST vars before any other processing takes place?

 

Many thanks

Graeme

[trq]

1) Personally, I rather have magic_quotes_gpc Off and escape data myself as required.

2) While sprintf can help, you still need to escape your data before entering any of it into a database. mysql_real_escape_string is recomended, but rememeber, do not apply this if magic_quotes_gpc is On as your data will then get escaped twice. You can use something  like...

 

<?php

  function doescape($str) {
    return get_magic_gpc() ? $str : mysql_real_escape_string($str);
  }

?>

[Graeme1972]

Hi Thorpe

 

Thanks for the useful function! 

 

Something else, I should have asked about php injection too.

What's the best here?

 

G