SQL injection ΒΆ

As the whole purpose of phpMyAdmin is to preform sql queries, this is not our first concern. SQL injection is sensitive to us though when it concerns the mysql control connection. This controlconnection can have additional privileges which the logged in user does not poses. E.g. access the phpMyAdmin configuration storage.

User data that is included in (administrative) queries should always be run through DatabaseInterface::escapeSring().

See also

SQL injection on Wikipedia