Hi,
I would like to propose some changes to demo server configuration which would testing of edge cases a bit easier. Lately I've seen a few bugs related to data escaping which would manifest only in some edge cases and two issues with AJAX that could be discovered earlier if demo server's configuration would be changed a bit. Some of them were really old, some relatively new.
1. Data escaping. Everyone seems to remember about PMA_backquote() and escaping database data, but htmlspecialchars() for database and column names is sometimes missing, as well as PMA_escapeJsString(). With database `evil*/>` and table `evil'"*/>`(`so_<a'm>*/_i`, `quo"te`, `comm<!-- ent`, `plain`) I immediately broke some functionality (currently I can't recall what it was exactly), and I suppose we can have a few more such cases.
2. `server` variable. Demo server and possibly all student's servers run MySQL database as server 0, so that all cases of missing variable go unnoticed. For me fun started with server 1, when phpMyAdmin randomly warned about me missing variables due to changed security token. After some digging I discovered that this happened due to missing/broken 'server' argument in AJAX query, which caused PMA to regenerate this token and rendered some links with the old one unusable.
So, I propose to: 1. Exchange MariaDB and MySQL databases in config file. 2. Change automatic login to select MySQL database which now has index 1. 3. Create some sample database with tables and columns which are potentially dangerous.
Also, create a guidelines for future GSOC with a sample configuration consisting of two servers (the first one can be a broken fake, student should work with the second one) and a SQL script which creates tables from point 3. above, with some explanation on escaping and that MySQL identifiers can also contain dangerous data (not a security issue, but it do can break page layout).