I guess i could explain further... say you got
Code:
$name = $_POST['name'];
$sql = "SELECT * FROM table WHERE name = '$name';
if a user submits his name as (forgive my syntax on droping i know its wrong)
Code:
blahblahblah'; DROP ALL TABLES;--
then when it gets plugged into $sql you would get
Code:
SELECT * FROM table WHERE name = 'blahblahblah'; DROP ALL TABLES;--'
the -- at the end would comment out the trailing quote. If magic quotes is on, or you use the code in the first post it will add a / before any quote or /. So with magic quotes on you would get
Code:
SELECT * FROM table WHERE name = 'blahblahblah/'; DROP ALL TABLES;--'
That would cause an error and none of the sql gets executes saving your database.
I don't mean any harm to anyones database by posting this, i'm only posting it cause there is a work around, or so you can take the tool down if you are worried. Probably everyone will find that they aren't vulnerable since its default behavior, but need to be aware that when PHP6 comes out that magic quotes will be no longer there as far as i know. As far as I know the code up top will still work in php6.
Sometime in the next few week or next month I will be rewriting the tool from the ground up and including it in magelo with a good ammount of security on it. Sorry it will be slow to get out, i'm changing alot of core features of the magelo clone and want to really test it well.
Threaded Mode
