[wp-hackers] forum post: sql injection
Mike Little
journalized at gmail.com
Fri Aug 5 06:02:05 GMT 2005
On 05/08/05, Mark Jaquith <mark.wordpress at txfx.net> wrote:
> Mike Little wrote:
>
> >On 05/08/05, Denis de Bernardy <denis at semiologic.com> wrote:
> >
> >
> >>Magic quotes on?
> >>
> >>D.
> >>
> >Yes it was on, but I get the same with it on and off.
> >
> >Mike
> >
> >
> You *sure* you turned it off? Meaning, did you turn it off, and then
> test for the value to be certain that it was off? Those backslashes
> indicate to me that it was escaped... and I can't see anywhere in
> WordPress where that would be escaped.
>
> --
> Mark Jaquith
> http://txfx.net/
> MCincubus @ #wordpress
>
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers
>
I set it off in /etc/php4/apache/php.ini
then restarted apache
Then I checked with a page with a call to phpinfo() in it.
...I just added phpinfo() to the bottom of profile.php and all three
xxx_quotes settings are off.
The output I quoted was from apaches log file after I added a call to
error_log() in the script.
Perhaps someone else would like to try the same experiment to see if
they can successfully inject some sql. I'm no expert.
Mike
--
Mike Little
http://zed1.com/journalized/
More information about the wp-hackers
mailing list