[Phpmyadmin-devel] problem with $goto_whitelist
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Sun Dec 18 14:17:01 CET 2005
Hi,
in the bookmarks creation dialog, we have a hidden goto that contains
"sql.php?db=mybase&table=mytable" and some other parameters.
Current logic in common.lib.php:
if (isset($_REQUEST['goto']) && in_array($_REQUEST['goto'],
$goto_whitelist)) {
fails in this case because the white list contains sql.php and we are
comparing with a $_REQUEST['goto'] containing sql.php plus parameters.
Same problem could happen for other parameters like $back, I'm not sure.
Is there another function like in_array() but able to compare a
substring? If not, we'll have to do something like:
if (isset($_REQUEST['goto']) &&
in_array(substr($_REQUEST['goto'],0,strpos($_REQUEST['goto'] .
'?','?')), $goto_whitelist)) {
Marc
More information about the Developers
mailing list