phpMyAdmin used the $_REQUEST superglobal as a source for
its parameters, instead of $_GET and $_POST. This means that
on most servers, a cookie with the same name as one of
phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path
"/" with a "sql_query" name, therefore overriding the
user-submitted sql_query because by default, the $_REQUEST
superglobal imports first GET, then POST then COOKIE data.
Mitigation factor
An attacker must trick the victim into visiting a page on
the same web server where he has placed code that creates
a malicious cookie.