1.) Install PHP script in the "setup" directory.
2.) Use Vendor override to set the location of the configuration file.
It is now possible to use phpMyAdmin's setup for configuration.
Based on a suggestion by Peter Avalos in private e-mail.
- bug #3521416 [interface] JS error when editing index
- bug #3521313 [core] Call to undefined function __()
- bug #3521016 [edit] NOW() function incorrectly selected
- bug [GUI] Invalid HTML code on transformation_overview.php
- bug #3522930 [browse] Missing validation in Ajax mode
- bug Fix popup message on build SQL of import
- bug #3523499 [core] Make X-WebKit-CSP work better
- replace Highcharts with jqplot for query profiling, zoom search
- bug #3531584 [interface] No form validation in change password dialog
- bug #3531585 [interface] Broken password validation in copy user form
- bug #3531586 [unterface] Add user form prints JSON when user presses enter
- bug #3534121 [config] duplicate line in config.sample.inc.php
- bug #3534311 [interface] Grid editing incorrectly parses ENUM/SET values
- bug #3510196 [core] More clever URL rewriting with ForceSSL
- browse-mode improvements
- grid editing
- remember recent tables
- remember last sort order by table
- flexible column width
- reorder columns
- more compact navigation bar
- AJAXification of many operations
- reorganised server status page, with server monitoring
- improved support for stored routines, events and triggers
- openGIS support
- zoom-search in table search
- Drizzle support
- improved ENUM/SET editor
- bug #3486970 [import] Exception on XML import
- bug #3488777 [navi] $cfg['ShowTooltipAliasTB'] and blank names in
navigation
- bug #3512565 [navi] Fixed missing word "Rows" in table list tooltip
after cli
- [security] Fixed local path disclosure vulnerability, see PMASA-2012-2
- bug #3460090 [interface] TextareaAutoSelect feature broken
- patch #3375984 [export] PHP Array export might generate invalid php code
- bug #3049209 [import] Import from ODS ignores cell that is the same as
cell before
- bug #3463933 [display] SELECT DISTINCT displays wrong total records found
- patch #3458944 [operations] copy table data missing
SET SQL_MODE='NO_AUTO_VALUE_ON_ZERO'
- bug #3469254 [edit] Setting data to NULL and drop-downs
- bug #3477063 [edit] Missing set fields and values in generated INSERT query
- bug #3460867 [libraries] license issue with TCPDF (updated to 5.9.145)
- bug #3442028 [edit] Inline editing enum fields with null shows
no dropdown
- bug #3442004 [interface] DB suggestion not correct for user with
underscore
- bug #3438420 [core] Magic quotes removed in PHP 5.4
- bug #3398788 [session] No feedback when result is empty
(signon auth_type)
- bug #3384035 [display] Problems regarding ShowTooltipAliasTB
- bug #3306875 [edit] Can't rename a database that contains views
- bug #3452506 [edit] Unable to move tables with triggers
- bug #3449659 [navi] Fast filter broken with table tree
- bug #3448485 [GUI] Firefox favicon frameset regression
- [core] Better compatibility with mysql extension
- [security] Self-XSS on export options (export server/database/table),
see PMASA-2011-20
- [security] Self-XSS in setup (host parameter), see PMASA-2011-19
- bug #3425230 [interface] enum data split at space char (more space to edit)
- bug #3426840 [interface] ENUM/SET editor can't handle commas in values
- bug #3427256 [interface] no links to browse/empty views and tables
- bug #3430377 [interface] Deleted search results remain visible
- bug #3428627 [import] ODS import ignores memory limits
- bug #3426836 [interface] Visual column separation
- bug #3428065 [parser] TRUE not recognized by parser
+ patch #3433770 [config] Make location of php-gettext configurable
- patch #3430291 [import] Handle conflicts in some open_basedir situations
- bug #3431427 [display] Dropdown results - setting NULL does not work
- patch #3428764 [edit] Inline edit on multi-server configuration
- patch #3437354 [core] Notice: Array to string conversion in PHP 5.4
- [interface] When ShowTooltipAliasTB is true, VIEW is wrongly shown as the
view name in main panel db Structure page
- bug #3439292 [core] Fail to synchronize column with name of keyword
- bug #3425156 [interface] Add column after drop
- [interface] Avoid showing the password in phpinfo()'s output
- bug #3441572 [GUI] 'newer version of phpMyAdmin' message not shown in IE8
- bug #3407235 [interface] Entering the key through a lookup window does not reset NULL
- [security] Self-XSS on database names (Synchronize), see PMASA-2011-18
- [security] Self-XSS on database names (Operations/rename), see PMASA-2011-18
- [security] Self-XSS on column type (Create index), see PMASA-2011-18
- [security] Self-XSS on column type (table Search), see PMASA-2011-18
- [security] Self-XSS on invalid query (table overview), see PMASA-2011-18
- bug #3418610 [interface] Links in navigation when
$cfg['MainPageIconic'] = false
- bug #3418849 [interface] Inline edit shows dropdowns even after closing
- bug [view] View renaming did not work
- bug [navi] Wrong icon for view (MySQL 5.5)
- bug #3420229 [doc] Missing documentation section
- bug #3423725 [pdf] Broken PDF file when exporting database to PDF
- [core] Allow to set language in URL
- bug #3425184 [doc] Fix links to PHP documentation
- bug #3426031 [export] Export to bzip2 is not working
Welcome to phpMyAdmin 3.4.6, a bugfix and minor security release.
Please refer to the upcoming PMASA-2011-15 and -16 announcements on
http://www.phpmyadmin.net/home_page/security/.
- bug #3375325 [interface] Page list in navigation frame looks odd
- bug #3313235 [interface] Error div misplaced
- bug #3374802 [interface] Comment on a column breaks inline editing
- patch #3383711 [display] Order by a column in a view doesn't work in
some cases
- bug #3386434 [interface] Add missing space to server status
- [core] Remove library PHPExcel, due to license issues
- [export] Remove native Excel export modules (xls and xlsx formats)
- [import] Remove native Excel import modules (xls and xlsx formats)
- bug #3392920 [edit] BLOB emptied after editing another column
- [security] Fixed XSS in Inline Edit on save action, see PMASA-2011-14
- [security] Fixed XSS with db/table/column names, see PMASA-2011-14
- bug #3323060 [parser] SQL parser breaks AJAX requests if query has
unclosed quotes
- bug #3323101 [parser] Invalid escape sequence in SQL parser
- bug #3348995 [config] $cfg['Export']['asfile'] set to false does not
select asText option
- bug #3340151 [export] Working SQL query exports error page
- bug #3353649 [interface] "Create an index on X columns" form not validated
- bug #3350790 [interface] JS error in Table->Structure->Index->Edit
- bug #3353811 [interface] Info message has "error" class
- bug #3357837 [interface] TABbing through a NULL field in the inline mode
resets NULL
- remove version number in /setup
- bug #3367993 [usability] Missing "Generate Password" button
- bug #3363221 [display] Missing Server Parameter on inline sql query
- bug #3367986 [navi] Drop field -> lost active table
- remove misleading comment on the "Rename database" interface
- bug #3374374 [interface] Fix footnote for inexact count while browsing
- bug #3372807 [interface] Fix security warning link in setup
- bug #3374347 [display] Backquotes in normal text on import page
- bug #3358750 [core] With Suhosin, urls are too long in edit links
- [security] Missing sanitization on the table, column and index names leads
to XSS vulnerabilities, see PMASA-2011-13
This is major feature update which requires at least PHP 5.2.0 and
MySQL 5.0. It features a new user interface and uses MySQL for
authentication and access control.
The update was necessary as "phpmyadmin" 2.11 is no longer supported:
http://sourceforge.net/news/?group_id=23067&id=301992
Changes since version 2.11.10:
- [setup] Fixed output sanitizing in setup script, see PMASA-2010-4 for
more details.
- [core] Fixed various XSS issues, see PMASA-2010-5 for more details.
Changes since version 2.11.9.6:
- [core] safer handling of temporary files with open_basedir
(thanks to Thijs Kinkhorst)
- [core] do not automatically set and create TempDir, it might lead to
security issue (thanks to Thijs Kinkhorst)
- [setup] avoid usage of (un)serialize, what might be unsafe in some cases
This fixes the security vulnerabilities reported in PMASA-2010-1,
PMASA-2010-2 and PMASA-2010-3.
- bug #2031221 [auth] Links to version number on login screen
- bug #2032707 [core] PMA does not start if ini_set() is disabled
- bug #2004915 [bookmarks] Saved queries greater than 1000 chars
not displayed
- bug #2037381 [export] Export type "replace" does not work
- bug #2037375 [export] DROP PROCEDURE needs IF EXISTS
- bug #2045512 [export] Numbers in Excel export
+ [lang] Norwegian UTF-8 original file remerged
- bug #2074250 [parser] Undefined variable seen_from
- [security] Code execution vulnerability
This update fixes the security vulnerability reported in PMASA-2008-7.
- patch #1987593 [interface] Table list pagination in navi
- bug #1989081 [profiling] Profiling causes query to be executed again
(really causes a problem in case of INSERT/UPDATE)
- bug #1990342 [import] SQL file import very slow on Windows
- bug [XHTML] problem with tabindex and radio fields
- bug #1971221 [interface] tabindex not set correctly
- bug [views] VIEW name created via the GUI was not protected
with backquotes
- bug #1989813 [interface] Deleting multiple views (space in name)
- bug #1992628 [parser] SQL parser removes essential space
- bug #1989281 [export] CSV for MS Excel incorrect escaping of
double quotes
- bug #1959855 [interface] Font size option problem when no
config file
- bug #1982489 [relation] Relationship view should check for changes
- bug [history] Do not save too big queries in history
- [security] Do not show version info on login screen
- bug #2018595 [import] Potential data loss on import resubmit
- patch #2020630 [export] Safari and timedate
- bug #2022182 [import, export] Import/Export fails because of
Mac files
- [security] protection against cross-frame scripting and
new directive AllowThirdPartyFraming
- [security] possible XSS during setup
- [interface] revert language changing problem introduced
with 2.11.7.1
- small fix for notice about "lang"
This update fixes the security vulnerability reported in PMASA-2008-6.
- bug #1908719 [interface] New field cannot be auto-increment and
primary key
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
update/delete issues
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
- (2.11.7.1) [security] XSRF/CSRF by manipulating the db,
convcharset and collation_connection parameters,
thanks to YGN Ethical Hacker Group
This update fixes the security vulnerability reported in PMASA-2008-5.
- bug #1908719 [interface] New field cannot be auto-increment and
primary key
- [dbi] Incorrect interpretation for some mysqli field flags
- bug #1910621 [display] part 1: do not display a TEXT utf8_bin
as BLOB (fixed for mysqli extension only)
- [interface] sanitize the after_field parameter,
thanks to Norman Hippert
- [structure] do not remove the BINARY attribute in drop-down
- bug #1955386 [session] Overriding session.hash_bits_per_character
- [interface] sanitize the table comments in table print view,
thanks to Norman Hippert
- bug #1939031 Auto_Increment selected for TimeStamp by Default
- patch #1957998 [display] No tilde for InnoDB row counter when
we know it for sure, thanks to Vladyslav Bakayev - dandy76
- bug #1955572 [display] alt text causes duplicated strings
- bug #1762029 [interface] Cannot upload BLOB into existing row
- bug #1981043 [export] HTML in exports getting corrupted,
thanks to Jason Judge - jasonjudge
- bug #1936761 [interface] BINARY not treated as BLOB:
update/delete issues
- protection against XSS when register_globals is on and .htaccess
has no effect, thanks to Tim Starling
- bug #1996943 [export] Firefox 3 and .sql.gz (corrupted);
detect Gecko 1.9, thanks to Juergen Wind
- bug #1903724 [interface] Displaying of very large queries
in error message
- bug #1905711 [compatibility] Functions deprecated in PHP 5.3:
is_a() and get_magic_quotes_gpc()
- bug [lang] catalan wrong accented characters
- bug #1893034 [Export] SET NAMES for importing with command-line
client
+ [lang] Russian update
- bug #1910485 [core] Unsetting the whitelist during the loop
- bug #1906980 [Export] Import of VIEWs fails if temp table exists
- bug #1812763 [Copy] Table copy when server is in ANSI_QUOTES
sql_mode
- bug #1918531 [compatibility] Navigation isn't w3.org valid
- bug #1926357 [data] BIT defaults displayed incorrectly
- patch #1930057 [auth] colon in password prevents HTTP login
on CGI/IIS
- patch #1929553 [lang] Don't output BOM character in Swedish
language file
- patch #1895796 [lang] Typo in Japanese lang files
- bug #1935652 [auth] Access denied (show warning about mcrypt
on login page)
- bug #1906983 [export] Reimport of FUNCTION fails
- bug #1919808 [operations] Renaming a database fails to handle
functions
- bug #1934401 [core] Cannot force a language
- bug #1944077 [core] Config file containing a BOM
- bug #1947189 [scripts] Missing head tag in scripts/signon.php
+ [lang] Romanian update
The new version fixes several bugs including the cross site scripting
vulnerability reported in PMASA-2007-8 and the SQL inject vulnerability
report in PMASA-2008-1.
Change since version 2.10.2:
- creating VIEWs from query results
- managing triggers, procedures and functions
- supports MySQL 5.0.37 query profiling
- improved interface for servers hosting thousands of databases and tables.
- security fixes for PMASA-2007-5, PMASA-2007-6 and PMASA-2007-7
Changes since version 2.9.1.1 (literal quote from the home page):
Version 2.9.2-rc1 contains some security fixes (an advisory will be
published when releasing 2.9.2) and other fixes.
Changes since version 2.9.0.3:
- Security fixes
- Wrong import when ;; is at buffer boundary
- Duplicate id for checkbox on table Operations page
- Better behavior on the Add new fields page
- Export: csv/cvs typo
- Renaming a db containing a view
- Automated timestamp values
- Import: correctly fail if file is too short
- Default font family on original theme
Changes since version 2.8.0.4:
- XSS vulnerability from requests not containing a token
- Reenable XML option in Export
- State in documentation that your browser must accept cookies
- CVS link was broken on main page
- Adding a user with password containing a backslash
- Removing a default value
- Setup script: compatibility with security tokens
- Setup script: detection of writable config
- Reading the database list with MySQL wildcards
Changes since version 2.8.0.2:
- XSS vulnerability (set_theme)
- mysqli problems with zend.ze1_compatibility_mode enabled
- setup script did not save the mysql/mysqli extension
- XSS vulnerability (calling directly css files under themes)
Changes since version 2.8.0.1:
- XSS vulnerability (set_theme)
- mysqli problems with zend.ze1_compatibility_mode enabled
- setup script did not save the mysql/mysqli extension
Package source related changes:
- incooperate fix for phpMyAdmin bug #1436279 to make the package usable
with Safari under Mac OS X again
2.6.4-pl4:
- New plugin-based import module
- Some pages now use fieldsets for better look
- Better support for information_schema
- Upgrade script new options
- Better displaying of privileges when there are differences between the
various user definition tables
- Structure: count unique value for each field
- Can now limit the list of shown languages
- User-specific upload and save server directories
- Remove Drop tab for mysql database
- New transformation: SQL pretty printing
- Ability to limit maximum size of extended insert
- Support for searching in the foreign key window
- Can now replace an existing bookmark
- New shortcuts for IP rules
- Detect lack of privileges for "Create new table"
- Wrong display of localized MySQL error messages
- Need to select the primary key for MIME-based print view
- Handling of ENTER key when adding fields
- InnoDB: truncating icon and exact row count
- After dropping a db, links were missing
- Strict mode and auto-increment fields insertion
- Collation change for ENUM and SET
- Display problems on special characters in column name
- Links for MySQL documentation
- Escaping of "_"
- Could not edit privileges when different host in db and user
- Changing auto-increment value for InnoDB
- Correct sort order for foreign-key dropdowns
- Group database by rightmost separator
- Performance problem when inserting huge BLOBs
- Calendar popup and time beginning by 0
This update fixes the security vulnerabilities reported in PMASA-2005-8
and PMASA-2005-9.
