[ubuntu-hardened] ubuntu 8.04 default PHP install
Kees Cook
kees at ubuntu.com
Thu Sep 18 19:09:29 BST 2008
Hi,
On Wed, Sep 17, 2008 at 10:04:12PM -0400, Dan Guido wrote:
> Does Ubuntu package PHP in such a way that simple tick marks used in
> sql injection attacks are automatically escaped? I see that you
> patched PHP with the hardened-php patch and included the Suhosin
> module, however, I was unaware they had any such functionality.
>
> I'm trying to make an example SQL injection for a class and the script
> I have is *clearly* vulnerable however the parameters are still being
> escaped.
The upstream default for PHP is to enable "magic quotes" (it is not
something specific to Ubuntu). More documentation is here:
http://us.php.net/get-magic-quotes-gpc
-Kees
--
Kees Cook
Ubuntu Security Team
More information about the ubuntu-hardened
mailing list