Hi!
Actually that's not a solution to the problem. PMA needs to be fed SQL commands, and we need to accept the via POST.
yes, but we should escape it before displaying in browser
Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
1. We need to utilize sessions. Only via sessions, form tokens could be easily implemented, because a server-token needs to be compared with a client-token.
sessions already utilized
Seems I missed that, too. Since when does PMA use sessions, and what are they currently used for? Did I also miss session saving of large SQL queries when browsing rows to get rid of the "?" editing buttons and max-GET-length exceeded problems? Best regards, Garvin -- ++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242 ++ Developer of | www.phpMyAdmin.net | www.s9y.org ++ Make me happy | http://wishes.garv.in