[wp-hackers] forum post: sql injection
journalized at gmail.com
Fri Aug 5 06:02:05 GMT 2005
On 05/08/05, Mark Jaquith <mark.wordpress at txfx.net> wrote:
> Mike Little wrote:
> >On 05/08/05, Denis de Bernardy <denis at semiologic.com> wrote:
> >>Magic quotes on?
> >Yes it was on, but I get the same with it on and off.
> You *sure* you turned it off? Meaning, did you turn it off, and then
> test for the value to be certain that it was off? Those backslashes
> indicate to me that it was escaped... and I can't see anywhere in
> WordPress where that would be escaped.
> Mark Jaquith
> MCincubus @ #wordpress
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
I set it off in /etc/php4/apache/php.ini
then restarted apache
Then I checked with a page with a call to phpinfo() in it.
...I just added phpinfo() to the bottom of profile.php and all three
xxx_quotes settings are off.
The output I quoted was from apaches log file after I added a call to
error_log() in the script.
Perhaps someone else would like to try the same experiment to see if
they can successfully inject some sql. I'm no expert.
More information about the wp-hackers