[Phpmyadmin-devel] New Suhosin warning (#1863326)

Thijs Kinkhorst thijs at debian.org
Tue Mar 4 11:40:41 CET 2008


Hi all,

I noticed the newly introduced warning that phpMyAdmin emits when Suhosin
is enabled in PHP. I expect that Suhosin will be enabled more and more,
because the demands on security of web applications are ever increasing.
It provides valuable protection of PHP which doesn't have the best
security history. For example Debian's next release will have Suhosin
enabled by default, and other distributions are doing or have already done
the same. So I doubt that adding such a warning is a viable solution to
the problem.

The problem seems to be that when a table doesn't have a key defined,
phpMyAdmin encodes the entire row in the request URL, in order to make
sure to match the right row. Suhosin trips over this when that URL gets
very long.

I propose to resolve this problem in a different way. Wouldn't it be an
idea to take the contents of the entire row, run it through md5() or
sha1(), and pass that in the URL? This value could then in the query be
used when specifying something like "WHERE
MD5(CONCAT(field1,field2,field3)) = url_submitted_md5"? This would, in my
opinion, resolve the problem in a more elegant way that works for all
configurations. Even when not having Suhosin enabled, passing an URL of
many kilobytes long isn't desirable anyway.

Of course you could only do this when the row length exceeds some minimum
length if you want to.

What do you think?

Thijs





More information about the Developers mailing list