[Phpmyadmin-devel] New Suhosin warning (#1863326)

Michal Čihař michal at cihar.com
Tue Mar 4 14:44:05 CET 2008


On Tue, 4 Mar 2008 11:40:41 +0100 (CET)
"Thijs Kinkhorst" <thijs at debian.org> wrote:

> I noticed the newly introduced warning that phpMyAdmin emits when Suhosin
> is enabled in PHP. I expect that Suhosin will be enabled more and more,
> because the demands on security of web applications are ever increasing.
> It provides valuable protection of PHP which doesn't have the best
> security history. For example Debian's next release will have Suhosin
> enabled by default, and other distributions are doing or have already done
> the same. So I doubt that adding such a warning is a viable solution to
> the problem.

Even if we find a solution for tables without indexes, the warning will
have to stay there. For example if you edit several rows from table,
you can quite easily reach limit for number of parameters or request
size and there is no workaround for this.

> The problem seems to be that when a table doesn't have a key defined,
> phpMyAdmin encodes the entire row in the request URL, in order to make
> sure to match the right row. Suhosin trips over this when that URL gets
> very long.
> I propose to resolve this problem in a different way. Wouldn't it be an
> idea to take the contents of the entire row, run it through md5() or
> sha1(), and pass that in the URL? This value could then in the query be
> used when specifying something like "WHERE
> MD5(CONCAT(field1,field2,field3)) = url_submitted_md5"? This would, in my
> opinion, resolve the problem in a more elegant way that works for all
> configurations. Even when not having Suhosin enabled, passing an URL of
> many kilobytes long isn't desirable anyway.
> Of course you could only do this when the row length exceeds some minimum
> length if you want to.

I think this is a good idea how to handle tables without primary key.

	Michal Čihař | http://cihar.com | http://blog.cihar.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.phpmyadmin.net/pipermail/developers/attachments/20080304/37f2cf16/attachment.sig>

More information about the Developers mailing list