[wp-hackers] forum post: sql injection

Mike Little journalized at gmail.com
Fri Aug 5 06:02:05 GMT 2005

On 05/08/05, Mark Jaquith <mark.wordpress at txfx.net> wrote:
> Mike Little wrote:
> >On 05/08/05, Denis de Bernardy <denis at semiologic.com> wrote:
> >
> >
> >>Magic quotes on?
> >>
> >>D.
> >>
> >Yes it was on, but I get the same with it on and off.
> >
> >Mike
> >
> >
> You *sure* you turned it off?  Meaning, did you turn it off, and then
> test for the value to be certain that it was off?  Those backslashes
> indicate to me that it was escaped... and I can't see anywhere in
> WordPress where that would be escaped.
> --
> Mark Jaquith
> http://txfx.net/
> MCincubus @ #wordpress
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

I set it off in /etc/php4/apache/php.ini
then restarted apache
Then I checked with a page with a call to phpinfo() in it.
...I just added phpinfo() to the bottom of profile.php and all three
xxx_quotes settings are off.

The output I quoted was from apaches log file after I added a call to
error_log() in the script.

Perhaps someone else would like to try the same experiment to see if
they can successfully inject some sql. I'm no expert.

Mike Little

More information about the wp-hackers mailing list