[Phpmyadmin-devel] Re: phpMyAdmin 'sql_query' Cross-Site Scripting and SQL Code Execution
lists at sebastianmendel.de
Thu Apr 20 02:35:00 CEST 2006
-----BEGIN PGP SIGNED MESSAGE-----
Garvin Hicking schrieb:
>>> Actually that's not a solution to the problem. PMA needs to be fed SQL
>>> commands, and we need to accept the via POST.
>> yes, but we should escape it before displaying in browser
> Ah, I overread that. Yes, escaping SQL when displaying it would be wise.
>>> 1. We need to utilize sessions. Only via sessions, form tokens could be
>>> easily implemented, because a server-token needs to be compared with a
>> sessions already utilized
> Seems I missed that, too. Since when does PMA use sessions, and what are they
> currently used for? Did I also miss session saving of large SQL queries when
no, this is not done at the moment
only request independent data is saved in session, data that does not
change if someone uses multiple windows with phpMyAdmin, this is
currently only configuration and themes
> browsing rows to get rid of the "?" editing buttons and max-GET-length exceeded
i do not know this problem!? wasn't this fixed with 'subforms'?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
-----END PGP SIGNATURE-----
More information about the Developers