[ciapug] On or Off ...

Carl Olsen carl-olsen at mchsi.com
Mon Aug 8 21:23:39 CDT 2005 

I just entered some data into my contact form at: 

http://www.carl-olsen.com/Modules/Contact/index.aspx

I put in a whole bunch of apostrophes and double quotes.  The form took the
data without throwing any errors and all of the data got captured to the
PostgreSQL 8 database without any changes to the apostrophes or quotes.  Is
there some nasty SQL injection I could try to see if I can break it, or is
my database protected because I'm using stored procedures and parameterized
functions to call them?

Or, could the .NET provider I'm using be laundering it for me?  I'm using
Npgsql.dll for the data provider.

Carl
http://www.carl-olsen.com/

-----Original Message-----
From: ciapug-bounces at cialug.org [mailto:ciapug-bounces at cialug.org] On Behalf
Of Tony Bibbs
Sent: Monday, August 08, 2005 10:55 AM
To: ciapug at cialug.org
Cc: cjh at raccoon.com
Subject: Re: [ciapug] On or Off ...

For security reasons register_globals should be turned off, though as 
Dave mentioned, many older PHP apps require them.

I prefer magic quotes to be turned off as well but that's simply because 
we use creole for database abstraction and it handles the quotes for us. 
  We've seen issues where PHP code gets ugly when you have a bunch of 
addslashes/stripslashes so it's best to leave that to something else 
(like you abstraction layer).

Similarly PEAR::DB supports prepared statements which, if used, get you 
out of the business of worrying about quotes.

--Tony

Dave J. Hala Jr. wrote:
> Register globals off, is prefferred, unless you have some old php apps
> that didn't make use of $_POST  when posting variables.
> 
> I believe globals off is now the default. You'll know right away if you
> got apps that require globals on. :)
> 
> If you do, you may want to consider putting them on your list of apps
> that to be "phased out/rewrote" etc.
> 
> :) Dave
> 
> 
> On Mon, 2005-08-08 at 09:34, Chris Hettinger wrote:
> 
>>magic_quotes_gpc and register_globals .... On or Off ??
>>
>>I believe that, and correct me if I am wrong, most will say Magic Quotes
>>= On and Registered Globals = Off.
>>
>>Arguements one way or the other?
>>
>>-ch
>>
>>
>>
>>_______________________________________________
>>ciapug mailing list
>>ciapug at cialug.org
>>http://cialug.org/mailman/listinfo/ciapug
_______________________________________________
ciapug mailing list
ciapug at cialug.org
http://cialug.org/mailman/listinfo/ciapug

More information about the ciapug mailing list