DerScanner
Home / Vulnerability Database / PHP : Unsafe sanitization (magic quotes)
PHP

PHP : Unsafe sanitization (magic quotes)

Classification

OWASP Top 10 2013
A9-Using Components with Known Vulnerabilities
OWASP Top 10 2017
A9-Using Components with Known Vulnerabilities
OWASP Top 10 2021
A6-Vulnerable and Outdated Components
PCI DSS 4.0
6.3
CWE
CWE-1035

Overview

The magic_quotes_gpc and magic_quotes_runtime options being enabled mean that PHP sanitizes the following characters: single and double quotes, backslashes and NULL, respectively, in the data received by the network (GET, POST, cookies, GPC) and from other sources (databases, file system, runtime). Such sanitization does not even reach its original purpose of protecting against SQL injection. It is even more useless to prevent other network attacks.

Due to insufficient level of protection both of these options have been deprecated and removed from PHP 6.

Enabled magic_quotes_sybase option completely disables magic_quotes_gpc, that is, double quotes, backslashes, and NULL-characters will not be sanitized. If one of the options magic_quotes_gpc and magic_quotes_runtime is enabled, then single quotes will be sanitized by adding single quotes instead of adding a backslash.

magic_quotes_sybase option is deprecated since PHP 5.3.0 and was removed in PHP 5.4.0.

References

  1. OWASP Top 10 2017-A9-Using Components with Known Vulnerabilities
  2. How can I sanitize user input with PHP?
  3. Magic Quotes - php.net
  4. CWE-1035
CRITICAL

DerScanner Severity Score

Do you want to fix PHP : Unsafe sanitization (magic quotes) in your application?

See also

PHP

PHP : Null salt

PHP

PHP : Empty password

PHP

PHP : Empty salt