phpmyadmin icon indicating copy to clipboard operation
phpmyadmin copied to clipboard
verified publisher icon phpmyadmin

"Create PHP code" creates broken code and encourages SQL injection

Open kamil-tekiela opened this issue 2 years ago • 1 comments

Describe the bug

There exists a button that enables the user to convert an SQL query into a PHP variable. When you click "Create PHP code" a box will show up with PHP code containing a single variable called $sql which has a value assigned of the SQL being executed earlier.

To Reproduce

Steps to reproduce the behavior:

  1. Go to browse table
  2. Add a WHERE 'asd' = 'foo' clause
  3. Click on "Create PHP code"
  4. See broken code

Expected behavior

There should exist no such button. Creation of PHP code should be the responsibility of the PHP developer who will take care of proper parameterization and proper PHP/SQL syntax. The only benefit this button provides is the automatic addslashes which actually creates invalid SQL.

SELECT * FROM `sequence` WHERE \'asd\' = \'foo\';

This button promotes insecure PHP coding practices as inexperienced users may use this to create hardcoded queries and later replace the constant value with interpolated PHP variable creating SQL injection.

I suggest that this feature be removed from PMA in the next major version.

kamil-tekiela avatar Apr 06 '24 16:04 kamil-tekiela

We should switch to pdo for examples

williamdes avatar Apr 06 '24 16:04 williamdes