[TYPO3-core] PHP requirement version for TYPO3 4.0
Robert Lemke
robert at typo3.org
Tue Jan 3 11:58:02 CET 2006
Hi Martin,
On Tuesday 03 January 2006 11:34, Martin Kutschker wrote:
> > BTW: Can you show me any example where addslashes does not have the
> > same effect like mysql_real_escape_string? I tried hard, together with
> > Kasper, but couldn't find any.
>
> It's an obscure setting that affects addslashes: magic_quotes_sybase
>
> http://bugs.typo3.org/view.php?id=1354
Well, I know Dmitry's bug report but couldn't reproduce what he wrote:
> Imagine SQL query:
> SELECT * FROM customers WHERE name = '$name'
>
> Let's set $name to
> \''; DROP TABLE users; --
>
> and apply addslases() to it. Than we have a query:
> SELECT fieldlist FROM customers WHERE name = '\''''; DROP TABLE
> users; --'
Have you tried that? If I uses addslashes over $name I get this result:
\\\'\'; DROP TABLE users; --
And this returns TRUE:
mysql_real_escape_string ($name) === addslashes ($name)
> http://at.php.net/manual/en/function.addslashes.php
Yeah, I know ...
> http://at.php.net/manual/en/ref.sybase.php#ini.magic-quotes-sybase
So, does that mean we raise the PHP requirement because of a Sybase .ini
setting although we don't support Sybase?
robert
--
Robert Lemke
TYPO3 Association - Research & Development
Member of the board
http://association.typo3.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.netfielders.de/pipermail/typo3-team-core/attachments/20060103/9d07bafd/attachment.pgp
More information about the TYPO3-team-core
mailing list