[Phpmyadmin-devel] New Suhosin warning (#1863326)
lists at sebastianmendel.de
Tue Mar 4 12:35:06 CET 2008
Thijs Kinkhorst schrieb:
> Hi all,
> I noticed the newly introduced warning that phpMyAdmin emits when Suhosin
> is enabled in PHP. I expect that Suhosin will be enabled more and more,
> because the demands on security of web applications are ever increasing.
> It provides valuable protection of PHP which doesn't have the best
> security history. For example Debian's next release will have Suhosin
> enabled by default, and other distributions are doing or have already done
> the same. So I doubt that adding such a warning is a viable solution to
> the problem.
> The problem seems to be that when a table doesn't have a key defined,
> phpMyAdmin encodes the entire row in the request URL, in order to make
> sure to match the right row. Suhosin trips over this when that URL gets
> very long.
> I propose to resolve this problem in a different way. Wouldn't it be an
> idea to take the contents of the entire row, run it through md5() or
> sha1(), and pass that in the URL? This value could then in the query be
> used when specifying something like "WHERE
> MD5(CONCAT(field1,field2,field3)) = url_submitted_md5"? This would, in my
> opinion, resolve the problem in a more elegant way that works for all
> configurations. Even when not having Suhosin enabled, passing an URL of
> many kilobytes long isn't desirable anyway.
> Of course you could only do this when the row length exceeds some minimum
> length if you want to.
> What do you think?
especially on shared hosters, where the most 'bad' database structure will
exist, this could have very heavy impact on performance of the MySQL server, or?
More information about the Developers