Hi!
Actually
that's not a solution to the problem. PMA needs to be fed SQL
commands, and we need to accept the via POST.
yes, but we should escape it before displaying in browser
Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
1. We need to
utilize sessions. Only via sessions, form tokens could be
easily implemented, because a server-token needs to be compared with a
client-token.
sessions already utilized
Seems I missed that, too. Since when does PMA use sessions, and what are they
currently used for? Did I also miss session saving of large SQL queries when
browsing rows to get rid of the "?" editing buttons and max-GET-length exceeded
problems?
Best regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] |
www.garv.in | ICQ 21392242
++ Developer of |
www.phpMyAdmin.net |
www.s9y.org
++ Make me happy |
http://wishes.garv.in