Posted by Chuck Anderson on 02/28/06 21:12

Jim Carlock wrote:

>I can't find the link right at the moment, but somewhere I read
>something about magic_quotes settings in the PHP.INI file.
>
>The current settings on the XP machine...
>
><snip>
>; Magic quotes
>;
>
>; Magic quotes for incoming GET/POST/Cookie data.
>magic_quotes_gpc = On
>
>; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
>magic_quotes_runtime = Off
>
>; Use Sybase-style magic quotes (escape ' with '' instead of \').
>magic_quotes_sybase = Off
>;...
>;added php_mime_magic.dll to test mime_content_type() function
>extension=php_mime_magic.dll
></snip>
>
>I enabled the php_mime_magic.dll on the XP machine.
>The Apache server lists mod_mime_magic as a loaded module.
>
>On the aquaticcreationsnc.com server (run by some webhosting
>company) the settings read the same:
>
>magic_quotes_gpc = On
>magic_quotes_runtime = Off
>magic_quotes_sybase = Off
>
>Apache Loaded Modules (displayed through phpinfo();)...
>mod_mime_magic
>
>And there is one a Directive listed in both configurations as:
><Directive name="safe_mode_allowed_env_vars" content="Local Value=PHP_" />
>
>Anyways, Google is appearantly vulnerable to the XSS
>(cross site scripting) attacks as well. In fact, I noticed some
>strange things happening with Google and their cached pages.
>
>There seems to be quite a bit of information available here...
>http://lists.grok.org.uk/pipermail/full-disclosure/2005-December.txt
>
>I'm lost. Hopefully someone knows what's going on and can help
>out.
>
>
I'm quite lost, too. Just trying to make sense of this for use in future
implementations. I try to add security related issues that I read about
here (and *understand*) to my Php scripting habits. I use forms with
action=PHP_SELF quite often.

If it makes any difference, magic quotes gpc is enabled on both my local
machine and at my remote host.

--
*****************************
Chuck Anderson • Boulder, CO
http://www.CycleTourist.com
Integrity is obvious.
The lack of it is common.
*****************************

• Next in forum: help starting w/ user, group mgmt and mvc's
• Prev in forum: Re: Matching IP scopes.
• Thread view: Re: $_SERVER['SCRIPT_NAME'] versus $_SERVER['PHP_SELF'] (or other?)

[Reply to this message]