[Phpmyadmin-devel] problem with $goto_whitelist

Marc Delisle Marc.Delisle at cegepsherbrooke.qc.ca
Sun Dec 18 14:17:01 CET 2005


in the bookmarks creation dialog, we have a hidden goto that contains 
"sql.php?db=mybase&table=mytable" and some other parameters.

Current logic in common.lib.php:

if (isset($_REQUEST['goto']) && in_array($_REQUEST['goto'], 
$goto_whitelist)) {

fails in this case because the white list contains sql.php and we are 
comparing with a $_REQUEST['goto'] containing sql.php plus parameters.

Same problem could happen for other parameters like $back, I'm not sure.

Is there another function like in_array() but able to compare a 
substring? If not, we'll have to do something like:

if (isset($_REQUEST['goto']) && 
in_array(substr($_REQUEST['goto'],0,strpos($_REQUEST['goto'] . 
'?','?')), $goto_whitelist)) {


More information about the Developers mailing list