I'm not exactly sure but I thought it was 'defined' in the post: Use of parameters for mysql_query
Excerpt (see point 2):
magic_quotes_gpc
automatically
escapes things you receive in requests
from clients... but it cannot detect
so-called second-level injections:
- You get a malicious query from a client and store its contents in the
database.
magic_quotes_gpc
prevents
SQL injection; the malicious string
gets stored correctly.
- Later on, you fetch this string from the database and include it in
another query. Now the string didn't
come out of a request, so
magic_quotes_gpc
doesn't escape the
string. Voilà, SQL injection; your
data is now probably gone.
Here's another I've googled (http://www.osix.net/modules/article/?id=624):
Beware that variables inside a stored
procedure aren't always immune to SQL
Injection either. If the stored
procedure contains constructs that add
a second level of parsing, such as
EXEC on a string in MS SQL Server, you
will have to handle metacharacters
again. This time inside the stored
procedure.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…