[Phpmyadmin-devel] October change in PMA_showMessage()
Marc Delisle
Marc.Delisle at cegepsherbrooke.qc.ca
Tue Nov 28 13:12:14 CET 2006
Michal Čihař a écrit :
> Hi
>
> On Tue, 28 Nov 2006 03:21:15 -0500
> Marc Delisle <Marc.Delisle at cegepsherbrooke.qc.ca> wrote:
>
>> what kind of problems what this fix for? (More specifically the last
>> part of the fix at line 1575)
>>
>> http://phpmyadmin.svn.sourceforge.net/viewvc/phpmyadmin/branches/QA_2_9/phpMyAdmin/libraries/common.lib.php?r1=9460&r2=9594
>
> When there was long query from import, it has not been escaped. Maybe
> PMA_showMessage was not correct place to escape it...
Yes, maybe in libraries/import.lib.php would be better. I looked at this
code:
// check length of query unless we decided to pass it to sql.php
if (!$go_sql) {
if ($cfg['VerboseMultiSubmit'] && !empty($sql_query)) {
if (strlen($sql_query) > 50000 || $executed_queries > 50 ||
$max_sql_len > 1000) {
$sql_query = '';
$sql_query_disabled = TRUE;
}
} else {
if (strlen($sql_query) > 10000 || $executed_queries > 10 ||
$max_sql_len > 500) {
$sql_query = '';
$sql_query_disabled = TRUE;
}
}
}
I think that the best place would be at the end of this code, when
$sql_query is still not empty. Assuming that the check on
VerboseMultiSubmit is correct (why is that check there?), I suggest
Index: import.lib.php
===================================================================
--- import.lib.php (revision 9763)
+++ import.lib.php (working copy)
@@ -171,6 +171,9 @@
$sql_query_disabled = TRUE;
}
}
+ if (! empty($sql_query)) {
+ $sql_query = htmlspecialchars($sql_query);
+ }
}
} // end do query (no skip)
} // end buffer exists
Of course I don't like the output, see
https://sourceforge.net/tracker/index.php?func=detail&aid=1547370&group_id=23067&atid=377408
Marc
More information about the Developers
mailing list