The phpMyAdmin team announced the release of phpMyAdmin versions 4.9.6 and 5.0.3. Both versions come with several important security fixes including PMASA-2020-5 XSS vulnerability with the transformation feature and PMASA-2020-6 SQL injection vulnerability with the search feature.
Security and bug fixes
In addition to security fixes, phpMyAdmin 5.0.3. has many bugfixes. Some of the highlights include:
- Fix an error message about htmlspecialchars() when attempting to export XML
- Support double-tapping to edit on mobile
- Fix the error message “Use of undefined constant MYSQLI_TYPE_JSON” when using mysqlnd
- Fix fatal JS error on index creation after using the Enter key to submit the form
- Fix “axis-order” to swap latitude and longitude on MySQL 8.1 or newer
- Fix an error when overwriting an existing query bookmark
- Fix some warnings that appear with PHP 8
- Fix alter user privileges query when editing an account with MySQL 8.0.11 and newer
- Fix issues regarding TIMESTAMP columns with default CURRENT_TIMESTAMP in MySQL 8.0.13 and newer
- Fix a message that “Warning: error_reporting() has been disabled for security reasons” on php 7.x
A bug affecting all PHP applications
In terms of known shortcomings, PHP versions prior to 7.4 are unable to authenticate to a MySQL 8.0 or newer server because of the changes in the MySQL authentication method. This relates to a PHP bug and the phpMyAdmin team is to set your user account to use the current-style password hash method,
mysql_native_password, as a workaround.
It is needed to not that this unfortunate lack of coordination has caused the incompatibility to affect all PHP applications, not just phpMyAdmin. The phpMyAdmin team suggests its users upgrading PHP installations to take advantage of the upgraded authentication methods.