[Phpmyadmin-devel] New Suhosin warning (#1863326)
Sebastian Mendel
lists at sebastianmendel.de
Tue Mar 4 12:35:06 CET 2008
Thijs Kinkhorst schrieb:
> Hi all,
>
> I noticed the newly introduced warning that phpMyAdmin emits when Suhosin
> is enabled in PHP. I expect that Suhosin will be enabled more and more,
> because the demands on security of web applications are ever increasing.
> It provides valuable protection of PHP which doesn't have the best
> security history. For example Debian's next release will have Suhosin
> enabled by default, and other distributions are doing or have already done
> the same. So I doubt that adding such a warning is a viable solution to
> the problem.
>
> The problem seems to be that when a table doesn't have a key defined,
> phpMyAdmin encodes the entire row in the request URL, in order to make
> sure to match the right row. Suhosin trips over this when that URL gets
> very long.
>
> I propose to resolve this problem in a different way. Wouldn't it be an
> idea to take the contents of the entire row, run it through md5() or
> sha1(), and pass that in the URL? This value could then in the query be
> used when specifying something like "WHERE
> MD5(CONCAT(field1,field2,field3)) = url_submitted_md5"? This would, in my
> opinion, resolve the problem in a more elegant way that works for all
> configurations. Even when not having Suhosin enabled, passing an URL of
> many kilobytes long isn't desirable anyway.
>
> Of course you could only do this when the row length exceeds some minimum
> length if you want to.
>
> What do you think?
especially on shared hosters, where the most 'bad' database structure will
exist, this could have very heavy impact on performance of the MySQL server, or?
--
Sebastian
More information about the Developers
mailing list