You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There exists a button that enables the user to convert an SQL query into a PHP variable. When you click "Create PHP code" a box will show up with PHP code containing a single variable called $sql which has a value assigned of the SQL being executed earlier.
To Reproduce
Steps to reproduce the behavior:
Go to browse table
Add a WHERE 'asd' = 'foo' clause
Click on "Create PHP code"
See broken code
Expected behavior
There should exist no such button. Creation of PHP code should be the responsibility of the PHP developer who will take care of proper parameterization and proper PHP/SQL syntax. The only benefit this button provides is the automatic addslashes which actually creates invalid SQL.
SELECT * FROM `sequence` WHERE \'asd\' = \'foo\';
This button promotes insecure PHP coding practices as inexperienced users may use this to create hardcoded queries and later replace the constant value with interpolated PHP variable creating SQL injection.
I suggest that this feature be removed from PMA in the next major version.
The text was updated successfully, but these errors were encountered:
Describe the bug
There exists a button that enables the user to convert an SQL query into a PHP variable. When you click "Create PHP code" a box will show up with PHP code containing a single variable called
$sql
which has a value assigned of the SQL being executed earlier.To Reproduce
Steps to reproduce the behavior:
WHERE 'asd' = 'foo'
clauseExpected behavior
There should exist no such button. Creation of PHP code should be the responsibility of the PHP developer who will take care of proper parameterization and proper PHP/SQL syntax. The only benefit this button provides is the automatic
addslashes
which actually creates invalid SQL.This button promotes insecure PHP coding practices as inexperienced users may use this to create hardcoded queries and later replace the constant value with interpolated PHP variable creating SQL injection.
I suggest that this feature be removed from PMA in the next major version.
The text was updated successfully, but these errors were encountered: