phpMyAdmin 5.2.2 and 5.2.3 (possibly prior versions also) throw a 400 error when attempting to sort on a column in a table. I traced the problem to the inclusion of a line-feed in the sql_query parameter that is passed as part of the request URI. If I remove the encoded line-feed (%0A) as part of the sql_query parameter and re-issue the GET request, it works and returns results. I patched the getSingleAndMultiSortUrls() function in libraries/classes/Display/Results.php and now the sorting works as expected. Many properly configured HTTPS servers treat percent-encoded control characters like %0A (LF) and %0D (CR) as dangerous because they can enable request smuggling / header-splitting tricks if decoded along the way, so they reject such URLs with 400. It looks like LIGHTTPD (which is what I am using) enforces this and returns a 400, but it appears Apache2 out-of-the-box does not. Perhaps, the phpMyAdmin code should be updated to not include line-feed formatting in the sql_query parameter.
