Hi
On Tue, 4 Mar 2008 11:40:41 +0100 (CET) "Thijs Kinkhorst" thijs@debian.org wrote:
I noticed the newly introduced warning that phpMyAdmin emits when Suhosin is enabled in PHP. I expect that Suhosin will be enabled more and more, because the demands on security of web applications are ever increasing. It provides valuable protection of PHP which doesn't have the best security history. For example Debian's next release will have Suhosin enabled by default, and other distributions are doing or have already done the same. So I doubt that adding such a warning is a viable solution to the problem.
Even if we find a solution for tables without indexes, the warning will have to stay there. For example if you edit several rows from table, you can quite easily reach limit for number of parameters or request size and there is no workaround for this.
The problem seems to be that when a table doesn't have a key defined, phpMyAdmin encodes the entire row in the request URL, in order to make sure to match the right row. Suhosin trips over this when that URL gets very long.
I propose to resolve this problem in a different way. Wouldn't it be an idea to take the contents of the entire row, run it through md5() or sha1(), and pass that in the URL? This value could then in the query be used when specifying something like "WHERE MD5(CONCAT(field1,field2,field3)) = url_submitted_md5"? This would, in my opinion, resolve the problem in a more elegant way that works for all configurations. Even when not having Suhosin enabled, passing an URL of many kilobytes long isn't desirable anyway.
Of course you could only do this when the row length exceeds some minimum length if you want to.
I think this is a good idea how to handle tables without primary key.