SQL Injection immunity on Ubuntu
Andreas Olsson
andreas at arrakis.se
Wed May 7 08:03:14 UTC 2008
On Wednesday 07 May 2008 09:11:09 Dax Solomon Umaming wrote:
> Our server's still using Gutsy, and I've tried snippets from
> http://en.wikipedia.org/wiki/SQL_injection . I'm surprised to see that PHP
> escaped them with \. I've echoed almost all forms on my scripts with the
> same results.
This is most likely the result of magic_quotes_gpc being enabled in PHP.
> So now my questions are;
> Is the default LAMP stack on Ubuntu Server immune from SQL Injections?
> If I move my PHP script to a freshly-installed Hardy, will I get the same
> result?
Yes, magic_quotes_gpc seems to be the default in Hardy as well.
Personally I don't think that is something you should rely on. What if you in
the future move the page to another server, with different settings?
As Onno Benschop mentions; mysql_real_escape_string() is a good function to
use. It might also be a good idea, when possible, to validate your input.
--
Andreas Olsson
http://www.andreasolsson.se/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.ubuntu.com/archives/ubuntu-server/attachments/20080507/a8b335f1/attachment.pgp>
More information about the ubuntu-server
mailing list