Date: Mon, 26 Feb 2001 12:43:15 -0800 From: Joe <joe@blarg.net> Subject: Re: Yet another hole in PHP-Nuke To: BUGTRAQ@SECURITYFOCUS.COM On Sat, 24 Feb 2001, Joao Gouveia wrote: > The same two tests aplied to an include($string) > magic_quotes_gpc On, output: Warning: Failed opening 'tes\0t' for > inclusion > magic_quotes_gpc Off, output: Warning: Failed opening 'tes' for > inclusion > So, everything after the NULL was ignored. > > Of course, one that who uses magic_quotes_gpc turned on isn't expecting this > kind of behaviour. On a side note to other PHP developers, if your code is expecting Magic Quotes to be on, then there's no reason for this particular problem as Magic Quotes can be programatically controlled: if( ! get_magic_quotes_gpc() ) { set_magic_quotes_runtime(1) or die("could not enable magic quotes"); } Anyone using PHP should have this bit-o-code somewhere near the start of program execution, since few servers are ever built with the same features or options enabled it just makes sense to check for the stuff your code needs - especially since magic quotes can help make exploiting a PHP script much more difficult. -- Joe Technical Support General Support: support@blarg.net Blarg! Online Services, Inc. Voice: 425/401-9821 or 888/66-BLARG http://www.blarg.net