unmagicquotes: add ref + discussion

[noraj]

1. I added this ref that it explains the vulnerability better than the original

2. Should we add dependency on the DBMS MySQL since I saw only paper talking about this behavior in MySQL? Should we add another dependency on the char encoding because it is documented to work with Big5, GBK, and SJIS and others but not UTF-8 for example.

3. As the condition is written only the 1st single quote is replaced and not all occurrences, this modification to the code would allow to replace all single quotes:

-if payload[i] == '\'' and not found:
+if payload[i] == '\'':

With and without the modification:

1982347827 AND SUBSTR((SELECT HEX(COALESCE(CAST(COUNT(tbl_name) AS TEXT),CAST(X%bf%27 AS TEXT))) FROM sqlite_master WHERE type=CAST(X%bf%277461626c65%bf%27 AS TEXT)),1,1)>CAST(X%bf%2701%bf%27 AS TEXT)-- -

1982347827 AND SUBSTR((SELECT HEX(COALESCE(CAST(COUNT(tbl_name) AS TEXT),CAST(X%bf%27 AS TEXT))) FROM sqlite_master WHERE type=CAST(X'7461626c65' AS TEXT)),1,1)>CAST(X'01' AS TEXT)-- -

Or is it on purpose that only the 1st occurrence is replaced? Because I never read something about that.

[Imran-imtiaz48]

Review Analysis:

1. Reference Expansion:
   o The addition of a new reference (https://lonewolfzero.wordpress.com/2017/07/03/addslashes-multibyte-sql-injection-mysql-and-php-case-study/) in the new code shows an effort to enhance the understanding and implementation of the tamper function related to SQL injection prevention. This is a positive improvement as it enriches the context and knowledge base for potential users.
2. Code Functionality:
   o Both old and new codes generate the same output for the given input ("1' AND 1=1"), suggesting that the core functionality remains unchanged. This consistency is essential for maintaining reliability across versions.
   Improvement Suggestions:
3. Documentation Enhancement:
   o Ensure that the documentation within the repository clearly explains how the tamper function works, its purpose, and the rationale behind the chosen approach to SQL injection prevention. This could include examples, usage scenarios, and potential risks.
4. Code Modularity and Extensibility:
   o Consider refactoring the code to improve modularity and extensibility. For instance, separating the SQL injection prevention logic into a reusable module or function could enhance maintainability and facilitate easier updates or additions in the future.
5. Testing and Validation:
   o Implement comprehensive unit tests to verify the functionality of the tamper function across different edge cases and scenarios. This ensures robustness and reliability, especially in security-sensitive functionalities like SQL injection prevention.
6. Community Engagement:
   o Encourage community feedback and contributions by clearly outlining guidelines for reporting issues, suggesting improvements, and contributing code enhancements. This can foster a collaborative environment and lead to further improvements over time.
   Conclusion:
   The addition of a new reference in the updated code demonstrates a proactive approach to improving documentation and knowledge base. To further enhance the repository, focus on improving documentation clarity, ensuring code modularity, rigorous testing, and fostering community engagement.