Merge pull request #319 from phpmyadmin/sec/318

Check where clause signature in TableSearchController

1 files changed, 8 insertions, 1 deletions

diff --git a/libraries/classes/Controllers/Table/TableSearchController.php b/libraries/classes/Controllers/Table/TableSearchController.php
index 16ed3fe1fd..e9f1e48e05 100644
--- a/libraries/classes/Controllers/Table/TableSearchController.php
+++ b/libraries/classes/Controllers/Table/TableSearchController.php
@@ -8,6 +8,7 @@
 namespace PhpMyAdmin\Controllers\Table;
 
 use PhpMyAdmin\Controllers\TableController;
+use PhpMyAdmin\Core;
 use PhpMyAdmin\DatabaseInterface;
 use PhpMyAdmin\Relation;
 use PhpMyAdmin\Sql;
@@ -345,13 +346,15 @@ class TableSearchController extends TableController
             );
             //Append it to row array as where_clause
             $row['where_clause'] = $uniqueCondition[0];
+            $row['where_clause_sign'] = Core::signSqlQuery($uniqueCondition[0]);
 
             $tmpData = array(
                 $_POST['criteriaColumnNames'][0] =>
                     $row[$_POST['criteriaColumnNames'][0]],
                 $_POST['criteriaColumnNames'][1] =>
                     $row[$_POST['criteriaColumnNames'][1]],
-                'where_clause' => $uniqueCondition[0]
+                'where_clause' => $uniqueCondition[0],
+                'where_clause_sign' => Core::signSqlQuery($uniqueCondition[0])
             );
             $tmpData[$dataLabel] = ($dataLabel) ? $row[$dataLabel] : '';
             $data[] = $tmpData;
@@ -419,6 +422,10 @@ class TableSearchController extends TableController
      */
     public function getDataRowAction()
     {
+        if (! Core::checkSqlQuerySignature($_POST['where_clause'], $_POST['where_clause_sign'])) {
+            return;
+        }
+
         $extra_data = array();
         $row_info_query = 'SELECT * FROM ' . Util::backquote($_POST['db']) . '.'
             . Util::backquote($_POST['table']) . ' WHERE ' .  $_POST['where_clause'];