[ubuntu-hardened] ubuntu 8.04 default PHP install

Kees Cook kees at ubuntu.com
Thu Sep 18 19:09:29 BST 2008


On Wed, Sep 17, 2008 at 10:04:12PM -0400, Dan Guido wrote:
> Does Ubuntu package PHP in such a way that simple tick marks used in
> sql injection attacks are automatically escaped? I see that you
> patched PHP with the hardened-php patch and included the Suhosin
> module, however, I was unaware they had any such functionality.
> I'm trying to make an example SQL injection for a class and the script
> I have is *clearly* vulnerable however the parameters are still being
> escaped.

The upstream default for PHP is to enable "magic quotes" (it is not
something specific to Ubuntu).  More documentation is here:



Kees Cook
Ubuntu Security Team

More information about the ubuntu-hardened mailing list