April 2006 - Developers - lists.phpmyadmin.net

[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
by Sebastian Mendel 20 Apr '06

20 Apr '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Garvin Hicking schrieb: > Hi! > >>> i don't know ... if this is really a security problem we should consider give >>> our forms a token - and proceed only with valid token >> IMHO SQL should be escaped (and I wonder it is not). > > Actually that's not a solution to the problem. PMA needs to be fed SQL commands, > and we need to accept the via POST. yes, but we should escape it before displaying in browser > The only way to not allow XSRF/CSRF is to put tokens into the form. BUT putting > token into the form means to things: > > 1. We need to utilize sessions. Only via sessions, form tokens could be easily > implemented, because a server-token needs to be compared with a client-token. sessions already utilized > 2. Implementing the tokens might be needed on virtually every <form> PMA has. > That'a a buttload full of work to do. ;) this can easily be implemented via PMA_generate_common_hidden_inputs(); also this token needs to be sent with get-requests/links - -- Sebastian Mendel www.sebastianmendel.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFER0dNX/0lClpZDr4RAmOiAJoD8jw4y+7/2/ieyeBkkx++iEB+NACfQxUL JN5eU9DXDHT79piRTZxem4c= =qRtC -----END PGP SIGNATURE-----

3 3

[Phpmyadmin-devel] 2.8.1-rc1 today?
by Marc Delisle 19 Apr '06

19 Apr '06

Are you ready? Marc

2 1

[Phpmyadmin-devel] mysqli problem
by Marc Delisle 15 Apr '06

15 Apr '06

Hi, please try this: echo MYSQLI_TYPE_TINY . " " . MYSQLI_TYPE_CHAR; On my server (client lib 4.1.12) I get 1 1 This means I cannot detect correctly a TINYINT, leading to a weird $primary_key condition that thinks it has to convert a string. Marc

1 0

[Phpmyadmin-devel] wired dblist stuff ...
by Sebastian Mendel 13 Apr '06

13 Apr '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, did i miss something or is a call to PMA_safe_db_list(true, ...) absolute senseless? - -- Sebastian Mendel www.sebastianmendel.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFEPofYX/0lClpZDr4RAn3hAJ4rU0aSappmh321HmmXxrWhUFYeoACgp1qk wQMtkfBw9HBaL8JmMMQhhMI= =+kCM -----END PGP SIGNATURE-----

2 1

[Phpmyadmin-devel] improve listing in server_databses.php
by Sebastian Mendel 13 Apr '06

13 Apr '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, can you please test the server_databases.php? the list is now limited to $GLOBALS['cfg']['MaxDbList'] and has navigation the most speed improvement should be for MySQL 5 and natural order disabled in phpMyAdmin - -- Sebastian Mendel www.sebastianmendel.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFEPlfGX/0lClpZDr4RAmXYAKCvrszjtvZKBJlOoeOoo9k7SsnEdwCgt7m1 BvjFUYLQrHTeMFrllKuTSWo= =1c+i -----END PGP SIGNATURE-----

2 12

[Phpmyadmin-devel] 20 seconds lost in header_meta_style.inc.php
by Marc Delisle 13 Apr '06

13 Apr '06

Hi, trying to debug the case of slow behavior with 4400 databases. http://sourceforge.net/tracker/index.php?func=detail&aid=1466527&group_id=2… In header.inc.php: require_once './libraries/header_http.inc.php'; echo "trace before"; require_once './libraries/header_meta_style.inc.php'; echo "trace after"; When I click a db name on the left panel, I get 20 seconds between the "before" and "after". Can't find what is happening in header_meta_style.inc.php. There are some calls to PMA_generate_commun_url() but it does not seem to be the problem. Of course, on a server with 20 databases the transition between "before" and "after" is immediate. Ideas, someone? Marc

3 6

[Phpmyadmin-devel] how do you collect the changes pointed out in release note?
by Sebastian Mendel 13 Apr '06

13 Apr '06

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi (Marc), how do decide or where do you look for the changes you note in the release note? just to be sure if i commit something and i think its important it is noted in the release note. - -- Sebastian Mendel www.sebastianmendel.de -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) iD8DBQFEPizfX/0lClpZDr4RAqFSAJ9C/UZOS0DdY8Mg0cbcUJqfGeKHIwCfeni8 XEAdX4eQKm2QxAjtBW0UAs8= =na7r -----END PGP SIGNATURE-----

2 1

[Phpmyadmin-devel] QA_2_8 & HEAD: browsing broken
by Marc Delisle 12 Apr '06

12 Apr '06

Hi, looks like today's commits broke something. Trying to browse a table: Warning: mysqli_fetch_fields() [function.mysqli-fetch-fields]: Couldn't fetch mysqli_result in /libraries/dbi/mysqli.dbi.lib.php on line 399 Notice: Trying to get property of non-object in /libraries/display_tbl.lib.php on line 127 I get problems in mysql or mysqli. Confirm, anyone? Marc

3 5

[Phpmyadmin-devel] CVS -> subversion test migration completed
by Marc Delisle 12 Apr '06

12 Apr '06

Hi, our CVS has been migrated to https://svn.sourceforge.net/svnroot/phpmyadmin. Remember, this is for test purposes only. I think it's better to not activate the "subversion" menu on our project page for now. SVN data is accessible even without this menu being active. Marc

3 7

[Phpmyadmin-devel] Subversion?
by Michal Čihař 12 Apr '06

12 Apr '06

Hi all what about moving to subversion? ;-) It is a bit better than CVS (eg. handles renames, handles changesets per repository and not per file), SF provides migration, there should be no delay between anonymous and developer access (there is single server for both). -- Michal Čihař | http://cihar.com

2 4