- Developers - lists.phpmyadmin.net

[Phpmyadmin-devel] rc2-ready ?
by Olivier M. 15 Jul '01

15 Jul '01

Hallo, Just came back from week-end. Is the cvs tree "rc2-ready", or should I rather wait until the "Big Problem-bug" is solved ? :) Greetings from a 200% rainy day in Switzerland, Olivier -- _________________________________________________________________ Olivier Mueller - om(a)8304.ch - PGPkeyID: 0E84D2EA - Switzerland qmail projects: http://omail.omnis.ch - http://webmail.omnis.ch

1 0

[Phpmyadmin-devel] Re: Big problem :(
by Loïc 14 Jul '01

14 Jul '01

Hi Jocelyn! >In this case, why not trying : >$variable=preg_replace("/&#/","&#",$variable); >I think it's a good turnaround for the < and > problem. Well that's not really the problem: using 'htmlspecialchars' each time a field value is passed by url or by a form means that (from the php manual): '&' (ampersand) becomes '&' '"' (double quote) becomes '"' when ENT_NOQUOTES is not set. ''' (single quote) becomes ''' only when ENT_QUOTES is set. '<' (less than) becomes '<' '>' (greater than) becomes '>' As you can see the result is that, depending on some configuration settings (first annoyance), cetrains values will contain '&#', others '&' only. But there is a second problem: if you submit from the dedicated textarea the query: "DELETE from a_table WHERE a_field = '<test>'" .... it won't be applied the 'htmlspecialchars' function, but the hidden field defines in the same form does! So a patch for the problem we are facing must take into account the way the query has been submitted. Here is the scheme of what has to be done : 1. since...: - ... the only problem with these html special characters is actually the double quotes when they are contained in the value of a form input... - ... and ENT_NOQUOTES may be set... ... no long use htmlspecialchars but "str_replace('"', '"', $the_value)" and this only if $the_value is used as the value of a form input. 2. When 'sql.php3' is run and for each of the variables this script is sent, detect if the variable has been submitted as a predefined value of a form and, in this case, do a "str_replace('"', '"', $the_value)" to use this value in the SQL query. As you may imagine, that's not so trivial to do! Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

1 0

[Phpmyadmin-devel] Big problem :(
by Loïc 14 Jul '01

14 Jul '01

Hi all! I have to test it some more more time and with the 2.1.0 old release, but it seems there is a big problem with the script: it uses everywhere the 'htmlspecialchars' function and then can returns valid rows from the db when this rows contains one of these html special characters. Ex: if one set a field with the value "<test>", he can't delete/modify it from the links at the browse table because the parameter passed by url is "& lt;test >". This is also the case with values stored in hidden form fields. This is really annoying because if this problem is confirmed, it means near all of the scripts will have to be modified to fix it and we will restart testings from scartch :( Loïc, disapointed! ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

2 1

[Phpmyadmin-devel] attention - warning - worm I-Worm.Badtrans
by Marc Delisle 14 Jul '01

14 Jul '01

Hi, I warn all members of the phpmyadmin-devel list, that we are receiving from info(a)dizayn.com copies of the messages sent to the list, with a worm in them. Thanks. Marc.

2 2

[Phpmyadmin-devel] documentation.html and adv. auth
by Marc Delisle 13 Jul '01

13 Jul '01

Hi, I would like to rephrase this part of Documentation.html: ----------------- If other people have telnet access to your server, it's not a good idea to store the MySQL password in clear text in your config.inc.php3 file. You should use phpMyAdmin's advanced authentification feature in this case. ------------------ Please look at this question: http://www.phpwizard.net/phorum/read.php?f=1&i=4087&t=4087 and check/comment my answer. Marc.

1 0

[Phpmyadmin-devel] testing bookmarks
by Marc Delisle 13 Jul '01

13 Jul '01

Hi, what are the privileges required for a normal user X to be able to use the bookmark features? I added select, insert, update, delete, index, alter to this user X for database bookmark, table bookmark, and he does not see the bookmarks. However a user A with global privileges was able to create bookmarks on the database X. User X, in mysql, can see the bookmarks. Marc.

3 2

[Phpmyadmin-devel] new patch for dump limit & CSV
by Marc Delisle 13 Jul '01

13 Jul '01

Hi, The recently integrated patch does not currently limit CSV data. Was it supposed to only work for ordinary dumps (INSERT)? If yes, it would be better to show that those 2 fields are not for CSV. Marc

1 0

[Phpmyadmin-devel] cvs tree change phpMyAdmin-devel -> phpMyAdmin
by Olivier M. 13 Jul '01

13 Jul '01

As you probably noticed, the SF staff finally processed my support query, and now there is only one CVS tree: "phpMyAdmin". To continue to use your work tree @home, just update the "Repository" file in every CVS/ directory, or start with a new cvs checkout. Just updated all the links under http://phpmyadmin.sourceforge.net and the devel-demo is now running under http://phpmyadmin.sourceforge.net/phpMyAdmin/ Just had a week full of exams, and now a "familly-weekend", so see you on sunday evening for the rc2 :-). Regards and have a nice week-end! Olivier -- _________________________________________________________________ Olivier Mueller - om(a)8304.ch - PGPkeyID: 0E84D2EA - Switzerland qmail projects: http://omail.omnis.ch - http://webmail.omnis.ch

1 0

Re: [Phpmyadmin-devel] Two big bugs
by Loïc 13 Jul '01

13 Jul '01

Hi Olivier! >what about adding the limit instruction only if it is not in the >query string yet ? would just be a regexp... Already done in the CVS ;) Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

1 0

[Phpmyadmin-devel] Two big bugs
by Loïc 13 Jul '01

13 Jul '01

Hi All! Here are two really annoying bugs I've been reported: 1. select * from aTable where afield <123 select * from aTable where afield like "arg" Before these kind of queries are submitted to MySQL, the 'htmlspecialchars' function is applied on them (db_readdump.php3, line 62). Then the '<' and '"' characters are replaced by their html entities and, of course, MySQL fails to run the transformed query. The question is: does anyone of you knows why the 'htmlspecialchars' funtion is applied at this stage? I've just tried to comment this line and can't face any problem! 2. select * from link LIMIT 1,5 This kind of query always fails because of an invalid derived query at lines 82-94 in sql.php3 Greets, Loïc ______________________________________________________________________________ ifrance.com, l'email gratuit le plus complet de l'Internet ! vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP... http://www.ifrance.com/_reloc/email.emailif

5 6