[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution

Garvin Hicking phpmyadmin at supergarv.de
Thu Apr 20 02:22:03 CEST 2006


Hi!

>> Actually that's not a solution to the problem. PMA needs to be fed SQL
>> commands, and we need to accept the via POST.
>
> yes, but we should escape it before displaying in browser

Ah, I overread that. Yes, escaping SQL when displaying it would be wise.

>> 1. We need to utilize sessions. Only via sessions, form tokens could be
>> easily implemented, because a server-token needs to be compared with a
>> client-token.
>
> sessions already utilized

Seems I missed that, too. Since when does PMA use sessions, and what are they
currently used for? Did I also miss session saving of large SQL queries when
browsing rows to get rid of the "?" editing buttons and max-GET-length exceeded
problems?

Best regards,
Garvin

-- 
++ Garvin Hicking | Web-Entwickler [PHP]    | www.garv.in | ICQ 21392242
++ Developer of   | www.phpMyAdmin.net      | www.s9y.org

++ Make me happy  | http://wishes.garv.in





More information about the Developers mailing list