[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
Garvin Hicking
phpmyadmin at supergarv.de
Thu Apr 20 02:22:03 CEST 2006
Hi!
>> Actually that's not a solution to the problem. PMA needs to be fed SQL
>> commands, and we need to accept the via POST.
>
> yes, but we should escape it before displaying in browser
Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
>> 1. We need to utilize sessions. Only via sessions, form tokens could be
>> easily implemented, because a server-token needs to be compared with a
>> client-token.
>
> sessions already utilized
Seems I missed that, too. Since when does PMA use sessions, and what are they
currently used for? Did I also miss session saving of large SQL queries when
browsing rows to get rid of the "?" editing buttons and max-GET-length exceeded
problems?
Best regards,
Garvin
--
++ Garvin Hicking | Web-Entwickler [PHP] | www.garv.in | ICQ 21392242
++ Developer of | www.phpMyAdmin.net | www.s9y.org
++ Make me happy | http://wishes.garv.in
More information about the Developers
mailing list