Critical severity9.8NVD Advisory· Published Jul 3, 2016· Updated May 6, 2026

CVE-2016-5734

Description

phpMyAdmin 4.0.x before 4.0.10.16, 4.4.x before 4.4.15.7, and 4.6.x before 4.6.3 does not properly choose delimiters to prevent use of the preg_replace e (aka eval) modifier, which might allow remote attackers to execute arbitrary PHP code via a crafted string, as demonstrated by the table search-and-replace implementation.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
phpmyadmin/phpmyadminPackagist	>= 4.0.10.0, < 4.0.10.16	4.0.10.16
phpmyadmin/phpmyadminPackagist	>= 4.4.15.0, < 4.4.15.7	4.4.15.7
phpmyadmin/phpmyadminPackagist	>= 4.6.0, < 4.6.3	4.6.3

Patches

1cc7466db3a0

Quote delimiter before using preg_replace

https://github.com/phpmyadmin/phpmyadminMichal ČihařJun 20, 2016via ghsa

commit

5 files changed · +6 −6

import.php+1 −1 modified

@@ -111,7 +111,7 @@
         && is_array($_REQUEST['parameters'])) {
         $parameters = $_REQUEST['parameters'];
         foreach ($parameters as $parameter => $replacement) {
-            $quoted = preg_quote($parameter);
+            $quoted = preg_quote($parameter, '/');
             // making sure that :param does not apply values to :param1
             $sql_query = preg_replace(
                 '/' . $quoted . '([^a-zA-Z0-9_])/',

libraries/plugins/export/ExportSql.php+1 −1 modified

@@ -1506,7 +1506,7 @@ public function getTableDef(
              */
             if ($view) {
                 $create_query = preg_replace(
-                    '/' . preg_quote(Util::backquote($db)) . '\./',
+                    '/' . preg_quote(Util::backquote($db), '/') . '\./',
                     '',
                     $create_query
                 );

libraries/Tracker.php+1 −1 modified

@@ -903,7 +903,7 @@ static public function handleQuery($query)
 
                 // Cut off `dbname`. from query
                 $query = preg_replace(
-                    '/`' . preg_quote($dbname) . '`\s?\./',
+                    '/`' . preg_quote($dbname, '/') . '`\s?\./',
                     '',
                     $query
                 );

templates/columns_definitions/transformation.phtml+2 −2 modified

@@ -7,7 +7,7 @@
             <?php
                 $checked = isset($columnMeta['Field'])
                          && isset($mime_map[$columnMeta['Field']][$type])
-                         && preg_match('@' . preg_quote($available_mime[$type . '_file'][$mimekey]) . '3?@i',
+                         && preg_match('@' . preg_quote($available_mime[$type . '_file'][$mimekey], '@') . '3?@i',
                                         $mime_map[$columnMeta['Field']][$type]) ? 'selected ' : '';
                 $tooltip = PMA_getTransformationDescription(
                     $available_mime[$type . '_file'][$mimekey]
@@ -24,4 +24,4 @@
             </option>
         <?php endforeach; ?>
     <?php endif; ?>
-</select>
\ No newline at end of file
+</select>

test/libraries/core/PMA_warnMissingExtension_test.php+1 −1 modified

@@ -59,7 +59,7 @@ function testMissingExtensionFatal()
             . '" target="Documentation"><em>' . $ext
             . '</em></a> extension is missing. Please check your PHP configuration.';
 
-        $this->expectOutputRegex('@' . preg_quote($warn) . '@');
+        $this->expectOutputRegex('@' . preg_quote($warn, '@') . '@');
 
         PMA_warnMissingExtension($ext, true);
     }

4bcc606225f1

Always use delimiter not present in search expression

https://github.com/phpmyadmin/phpmyadminMichal ČihařJun 20, 2016via ghsa

commit

1 file changed · +14 −1

libraries/controllers/table/TableSearchController.php+14 −1 modified

@@ -726,9 +726,22 @@ private function _getRegexReplaceRows(
         $result = $this->dbi->fetchResult($sql_query, 0);
 
         if (is_array($result)) {
+            /* Iterate over possible delimiters to get one */
+            $delimiters = array('/', '@', '#', '~', '!', '$', '%', '^', '&', '_');
+            $found = false;
+            for ($i = 0; $i < count($delimiters); $i++) {
+                if (strpos($find, $delimiters[$i]) === false) {
+                    $found = true;
+                    break;
+                }
+            }
+            if (! $found) {
+                return false;
+            }
+            $find = $delimiters[$i] . $find . $delimiters[$i];
             foreach ($result as $index=>$row) {
                 $result[$index][1] = preg_replace(
-                    "/" . $find . "/",
+                    $find,
                     $replaceWith,
                     $row[0]
                 );

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/phpmyadmin/phpmyadmin/commit/1cc7466db3a05e95fe57a6702f41773e6829d54bnvdPatchWEB
github.com/phpmyadmin/phpmyadmin/commit/4bcc606225f15bac0b07780e74f667f6ac283da7nvdPatchWEB
www.phpmyadmin.net/security/PMASA-2016-27/nvdPatchVendor Advisory
www.exploit-db.com/exploits/40185/nvdExploitThird Party AdvisoryVDB Entry
github.com/advisories/GHSA-rv57-479x-x4qvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2016-5734ghsaADVISORY
security.gentoo.org/glsa/201701-32nvdWEB
web.archive.org/web/20200227223418/http://www.securityfocus.com/bid/91387ghsaWEB
www.exploit-db.com/exploits/40185ghsaWEB
www.phpmyadmin.net/security/PMASA-2016-27ghsaWEB
www.securityfocus.com/bid/91387nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.070
exploit	0.030
kev	0.000
patch	-0.070
ransomware	0.000