Thijs Kinkhorst a écrit :
Hi all,
I noticed the newly introduced warning that phpMyAdmin emits when Suhosin is enabled in PHP. I expect that Suhosin will be enabled more and more, because the demands on security of web applications are ever increasing. It provides valuable protection of PHP which doesn't have the best security history. For example Debian's next release will have Suhosin enabled by default, and other distributions are doing or have already done the same. So I doubt that adding such a warning is a viable solution to the problem.
The problem seems to be that when a table doesn't have a key defined, phpMyAdmin encodes the entire row in the request URL, in order to make sure to match the right row. Suhosin trips over this when that URL gets very long.
I propose to resolve this problem in a different way. Wouldn't it be an idea to take the contents of the entire row, run it through md5() or sha1(), and pass that in the URL? This value could then in the query be used when specifying something like "WHERE MD5(CONCAT(field1,field2,field3)) = url_submitted_md5"? This would, in my opinion, resolve the problem in a more elegant way that works for all configurations. Even when not having Suhosin enabled, passing an URL of many kilobytes long isn't desirable anyway.
Of course you could only do this when the row length exceeds some minimum length if you want to.
What do you think?
Thijs
Thanks Thijs for this idea. I think we could implement it (at least try it) for performance purposes, but I am afraid that the warning about Suhosin in general must remain.
Even on a table with a primary key, if the table has many fields and you want to do a simple INSERT, the suhosin.post.max_vars threshold may be reached.
http://forum.hardened-php.net/viewtopic.php?pid=1444
Or the suhosin.post.max_value_length when uploading a file to a BLOB.
Marc