10 Oct
2002
10 Oct
'02
7:13 a.m.
Hi
I've made fix for this bug, but I have one question: Why was in
libraries/auth/config.auth.lib.php3 called PMA_mysqldie with sql parameter
containing how was mysql_connect called? Then it made problems to SQL
parser (only when IP address was used as host) and it reported error,
where the password from config was shown.
Michal
10 Oct
10 Oct
8:33 a.m.
Michal Cihar wrote:
Hi
I've made fix for this bug, but I have one question: Why was in
libraries/auth/config.auth.lib.php3 called PMA_mysqldie with sql parameter
containing how was mysql_connect called? Then it made problems to SQL
parser (only when IP address was used as host) and it reported error,
where the password from config was shown.
Michal
Michal,
I can't see a good reason for the previous code. But without your
last fix, I tried to reproduce the bug, stopping a MySQL server,
and I was not able to make phpMyAdmin display confidential info.
Marc
10:17 a.m.
Hi
to reproduce it you need:
- use config auth
- have hostname as numerical IP (maybe there are also other possibilities,
but for me it appeared just for IP address not the hostname)
- make some failure in connecting to mysql (e.g. use server where no mysql
is runing)
then it should show that reported error (at least it did in my case)
Michal
Michal,
I can't see a good reason for the previous code. But without your
last fix, I tried to reproduce the bug, stopping a MySQL server,
and I was not able to make phpMyAdmin display confidential info.
Marc
2:32 p.m.
Michal,
with your patch and a numeric IP, I stop the MySQL server and I get
a leak (I put some XXX here):
There seems to be an error in your SQL query.
The MySQL server error output below, if there is any, may also help you in diagnosing the
problem
ERROR: Invalid Identifer @ 15
STR: 192.219.
SQL: mysql_connect(x.x.x.x, x, x)
Error
MySQL said:
Can't connect to MySQL server on 'x.x.x.x' (111)
=============
It's in the parser.
Michal Cihar a écrit:
Hi
to reproduce it you need:
- use config auth
- have hostname as numerical IP (maybe there are also other possibilities,
but for me it appeared just for IP address not the hostname)
- make some failure in connecting to mysql (e.g. use server where no mysql
is runing)
then it should show that reported error (at least it did in my case)
Michal
Michal,
I can't see a good reason for the previous code. But without your
last fix, I tried to reproduce the bug, stopping a MySQL server,
and I was not able to make phpMyAdmin display confidential info.
Marc
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Phpmyadmin-devel mailing list
Phpmyadmin-devel(a)lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
3:14 p.m.
Hi
with your patch and a numeric IP, I stop the MySQL
server and I get
a leak (I put some XXX here):
Yes I know, thats what I tried to fix ;-)
It's in the parser.
Not exactly, the parser is surely not designed to parse php syntax, which was
in this case sent as sql.
Regards
Michal Cihar
nijel at users dot sourceforge dot net
http://cihar.liten.cz
11:24 p.m.
On Thu, Oct 10, 2002 at 09:11:01PM +0200, Michal Cihar wrote:
Yes, the parser is not designed to handle PHP syntax. The
correct fix
for this would be to find where the PHP command is being passed to the
SQL parser and change it there.
--
Robin Hugh Johnson
E-Mail : robbat2(a)orbis-terrarum.net
Home Page : http://www.orbis-terrarum.net/?l=people.robbat2
ICQ# : 30269588 or 41961639
GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85
It's in
the parser.
Not exactly, the parser is surely not designed to parse php syntax,
which was
in this case sent as sql.
11 Oct
11 Oct
3:27 a.m.
Yes, the parser is not designed to handle PHP syntax.
The correct fix
for this would be to find where the PHP command is being passed to the
SQL parser and change it there.
That's what I did, but I'm not sure whether there was no special reason
why it was added here so I asked here.
Michal
9:19 a.m.
Robin Johnson a écrit:
On Thu, Oct 10, 2002 at 09:11:01PM +0200, Michal Cihar
wrote:
Yes, the parser is not designed to handle PHP syntax. The correct fix
for this would be to find where the PHP command is being passed to the
SQL parser and change it there.
Ok I will try to trace this problem.
Marc
It's
in the parser.
Not exactly, the parser is surely not designed to parse php syntax, which was
in this case sent as sql.
9:36 a.m.
Marc Delisle a écrit:
Robin Johnson a écrit:
Fixed in common.lib.php3.
Marc
On Thu, Oct 10, 2002 at 09:11:01PM +0200, Michal
Cihar wrote:
Yes, the parser is not designed to handle PHP syntax. The correct fix
for this would be to find where the PHP command is being passed to the
SQL parser and change it there.
Ok I will try to trace this problem.
Marc It's
in the parser.
Not exactly, the parser is surely not designed to parse php syntax,
which was in this case sent as sql.
8011
days inactive
8012
days old
8 comments
5 participants
participants (5)
-
Marc Delisle -
Marc Delisle
-
Michal Cihar -
Michal Cihar -
Robin Johnson