Hi
I've made fix for this bug, but I have one question: Why was in libraries/auth/config.auth.lib.php3 called PMA_mysqldie with sql parameter containing how was mysql_connect called? Then it made problems to SQL parser (only when IP address was used as host) and it reported error, where the password from config was shown.
Michal
Michal Cihar wrote:
Hi
I've made fix for this bug, but I have one question: Why was in libraries/auth/config.auth.lib.php3 called PMA_mysqldie with sql parameter containing how was mysql_connect called? Then it made problems to SQL parser (only when IP address was used as host) and it reported error, where the password from config was shown.
Michal
Michal,
I can't see a good reason for the previous code. But without your last fix, I tried to reproduce the bug, stopping a MySQL server, and I was not able to make phpMyAdmin display confidential info.
Marc
Hi
to reproduce it you need: - use config auth - have hostname as numerical IP (maybe there are also other possibilities, but for me it appeared just for IP address not the hostname) - make some failure in connecting to mysql (e.g. use server where no mysql is runing)
then it should show that reported error (at least it did in my case)
Michal
Michal,
I can't see a good reason for the previous code. But without your last fix, I tried to reproduce the bug, stopping a MySQL server, and I was not able to make phpMyAdmin display confidential info.
Marc
Michal,
with your patch and a numeric IP, I stop the MySQL server and I get a leak (I put some XXX here):
There seems to be an error in your SQL query. The MySQL server error output below, if there is any, may also help you in diagnosing the problem
ERROR: Invalid Identifer @ 15 STR: 192.219. SQL: mysql_connect(x.x.x.x, x, x)
Error
MySQL said:
Can't connect to MySQL server on 'x.x.x.x' (111) =============
It's in the parser.
Michal Cihar a écrit:
Hi
to reproduce it you need:
- use config auth
- have hostname as numerical IP (maybe there are also other possibilities,
but for me it appeared just for IP address not the hostname)
- make some failure in connecting to mysql (e.g. use server where no mysql
is runing)
then it should show that reported error (at least it did in my case)
Michal
Michal,
I can't see a good reason for the previous code. But without your last fix, I tried to reproduce the bug, stopping a MySQL server, and I was not able to make phpMyAdmin display confidential info.
Marc
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
Hi
with your patch and a numeric IP, I stop the MySQL server and I get a leak (I put some XXX here):
Yes I know, thats what I tried to fix ;-)
It's in the parser.
Not exactly, the parser is surely not designed to parse php syntax, which was in this case sent as sql.
Regards Michal Cihar nijel at users dot sourceforge dot net http://cihar.liten.cz
On Thu, Oct 10, 2002 at 09:11:01PM +0200, Michal Cihar wrote:
It's in the parser.
Not exactly, the parser is surely not designed to parse php syntax, which was in this case sent as sql.
Yes, the parser is not designed to handle PHP syntax. The correct fix for this would be to find where the PHP command is being passed to the SQL parser and change it there.
Yes, the parser is not designed to handle PHP syntax. The correct fix for this would be to find where the PHP command is being passed to the SQL parser and change it there.
That's what I did, but I'm not sure whether there was no special reason why it was added here so I asked here.
Michal
Robin Johnson a écrit:
On Thu, Oct 10, 2002 at 09:11:01PM +0200, Michal Cihar wrote:
It's in the parser.
Not exactly, the parser is surely not designed to parse php syntax, which was in this case sent as sql.
Yes, the parser is not designed to handle PHP syntax. The correct fix for this would be to find where the PHP command is being passed to the SQL parser and change it there.
Ok I will try to trace this problem.
Marc
Marc Delisle a écrit:
Robin Johnson a écrit:
On Thu, Oct 10, 2002 at 09:11:01PM +0200, Michal Cihar wrote:
It's in the parser.
Not exactly, the parser is surely not designed to parse php syntax, which was in this case sent as sql.
Yes, the parser is not designed to handle PHP syntax. The correct fix for this would be to find where the PHP command is being passed to the SQL parser and change it there.
Ok I will try to trace this problem.
Marc
Fixed in common.lib.php3.
Marc
-
Marc Delisle -
Marc Delisle
-
Michal Cihar -
Michal Cihar -
Robin Johnson