search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Installer Class missing array variable check
[openemr.git] / phpmyadmin / libraries / check_user_privileges.lib.php
blob1164e76efb100816cf02bfdece63a6342a514994
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * Get user's global privileges and some db-specific privileges
5 * ($controllink and $userlink are links to MySQL defined in the "common.inc.php" library)
6 * Note: if no controluser is defined, $controllink contains $userlink
7 *
8 * @version $Id$
9 */
10 if (! defined('PHPMYADMIN')) {
11 exit;
12 }
13
14 /**
15 *
16 */
17 $is_create_db_priv = false;
18 $is_process_priv = true;
19 $is_reload_priv = false;
20 $db_to_create = '';
21 $dbs_where_create_table_allowed = array();
22
23 // We were trying to find if user if superuser with 'USE mysql'
24 // but users with the global priv CREATE TEMPORARY TABLES or LOCK TABLES
25 // can do a 'USE mysql' (even if they cannot see the tables)
26 $is_superuser = PMA_isSuperuser();
27
28 function PMA_analyseShowGrant($rs_usr, &$is_create_db_priv, &$db_to_create, &$is_reload_priv, &$dbs_where_create_table_allowed) {
29
30 $re0 = '(^|(\\\\\\\\)+|[^\])'; // non-escaped wildcards
31 $re1 = '(^|[^\])(\\\)+'; // escaped wildcards
32 while ($row = PMA_DBI_fetch_row($rs_usr)) {
33 $show_grants_dbname = substr($row[0], strpos($row[0], ' ON ') + 4, (strpos($row[0], '.', strpos($row[0], ' ON ')) - strpos($row[0], ' ON ') - 4));
34 $show_grants_dbname = ereg_replace('^`(.*)`', '\\1', $show_grants_dbname);
35 $show_grants_str = substr($row[0], 6, (strpos($row[0], ' ON ') - 6));
36 if ($show_grants_str == 'RELOAD') {
37 $is_reload_priv = true;
38 }
39 /**
40 * @todo if we find CREATE VIEW but not CREATE, do not offer
41 * the create database dialog box
42 */
43 if (($show_grants_str == 'ALL') || ($show_grants_str == 'ALL PRIVILEGES') || ($show_grants_str == 'CREATE') || strpos($show_grants_str, 'CREATE,') !== false) {
44 if ($show_grants_dbname == '*') {
45 // a global CREATE privilege
46 $is_create_db_priv = true;
47 $is_reload_priv = true;
48 $db_to_create = '';
49 $dbs_where_create_table_allowed[] = '*';
50 break;
51 } else {
52 // this array may contain wildcards
53 $dbs_where_create_table_allowed[] = $show_grants_dbname;
54
55 // before MySQL 4.1.0, we cannot use backquotes around a dbname
56 // for the USE command, so the USE will fail if the dbname contains
57 // a "-" and we cannot detect if such a db already exists;
58 // since 4.1.0, we need to use backquotes if the dbname contains a "-"
59 // in a USE command
60
61 if (PMA_MYSQL_INT_VERSION > 40100) {
62 $dbname_to_test = PMA_backquote($show_grants_dbname);
63 } else {
64 $dbname_to_test = $show_grants_dbname;
65 }
66
67 if ((ereg($re0 . '%|_', $show_grants_dbname)
68 && !ereg('\\\\%|\\\\_', $show_grants_dbname))
69 // does this db exist?
70 || (!PMA_DBI_try_query('USE ' . ereg_replace($re1 .'(%|_)', '\\1\\3', $dbname_to_test), null, PMA_DBI_QUERY_STORE)
71 && substr(PMA_DBI_getError(), 1, 4) != 1044)
72 ) {
73 $db_to_create = ereg_replace($re0 . '%', '\\1...', ereg_replace($re0 . '_', '\\1?', $show_grants_dbname));
74 $db_to_create = ereg_replace($re1 . '(%|_)', '\\1\\3', $db_to_create);
75 $is_create_db_priv = true;
76
77 /**
78 * @todo collect $db_to_create into an array, to display a
79 * drop-down in the "Create new database" dialog
80 */
81 // we don't break, we want all possible databases
82 //break;
83 } // end if
84 } // end elseif
85 } // end if
86 } // end while
87 } // end function
88
89 // Detection for some CREATE privilege.
90
91 // Since MySQL 4.1.2, we can easily detect current user's grants
92 // using $userlink (no control user needed)
93 // and we don't have to try any other method for detection
94
95 if (PMA_MYSQL_INT_VERSION >= 40102) {
96 $rs_usr = PMA_DBI_try_query('SHOW GRANTS', $userlink, PMA_DBI_QUERY_STORE);
97 if ($rs_usr) {
98 PMA_analyseShowGrant($rs_usr, $is_create_db_priv, $db_to_create, $is_reload_priv, $dbs_where_create_table_allowed);
99 PMA_DBI_free_result($rs_usr);
100 unset($rs_usr);
101 }
102 } else {
103
104 // Before MySQL 4.1.2, we first try to find a priv in mysql.user. Hopefuly
105 // the controluser is correctly defined; but here, $controllink could contain
106 // $userlink so maybe the SELECT will fail
107
108 if (!$is_create_db_priv) {
109 $res = PMA_DBI_query('SELECT USER();', null, PMA_DBI_QUERY_STORE);
110 list($mysql_cur_user_and_host) = PMA_DBI_fetch_row($res);
111 $mysql_cur_user = substr($mysql_cur_user_and_host, 0, strrpos($mysql_cur_user_and_host, '@'));
112
113 $local_query = 'SELECT Create_priv, Reload_priv FROM mysql.user WHERE ' . PMA_convert_using('User') . ' = ' . PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ' OR ' . PMA_convert_using('User') . ' = ' . PMA_convert_using('', 'quoted') . ';';
114 $rs_usr = PMA_DBI_try_query($local_query, $controllink, PMA_DBI_QUERY_STORE); // Debug: or PMA_mysqlDie('', $local_query, false);
115 if ($rs_usr) {
116 while ($result_usr = PMA_DBI_fetch_assoc($rs_usr)) {
117 if (!$is_create_db_priv) {
118 $is_create_db_priv = ($result_usr['Create_priv'] == 'Y');
119 }
120 if (!$is_reload_priv) {
121 $is_reload_priv = ($result_usr['Reload_priv'] == 'Y');
122 }
123 } // end while
124 PMA_DBI_free_result($rs_usr);
125 unset($rs_usr, $result_usr);
126 if ($is_create_db_priv) {
127 $dbs_where_create_table_allowed[] = '*';
128 }
129 } // end if
130 } // end if
131
132 // If the user has Create priv on a inexistant db, show him in the dialog
133 // the first inexistant db name that we find, in most cases it's probably
134 // the one he just dropped :)
135 if (!$is_create_db_priv) {
136 $local_query = 'SELECT DISTINCT Db FROM mysql.db WHERE ' . PMA_convert_using('Create_priv') . ' = ' . PMA_convert_using('Y', 'quoted') . ' AND (' . PMA_convert_using('User') . ' = ' .PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ' OR ' . PMA_convert_using('User') . ' = ' . PMA_convert_using('', 'quoted') . ');';
137
138 $rs_usr = PMA_DBI_try_query($local_query, $controllink, PMA_DBI_QUERY_STORE);
139 if ($rs_usr) {
140 $re0 = '(^|(\\\\\\\\)+|[^\])'; // non-escaped wildcards
141 $re1 = '(^|[^\])(\\\)+'; // escaped wildcards
142 while ($row = PMA_DBI_fetch_assoc($rs_usr)) {
143 $dbs_where_create_table_allowed[] = $row['Db'];
144 if (ereg($re0 . '(%|_)', $row['Db'])
145 || (!PMA_DBI_try_query('USE ' . ereg_replace($re1 . '(%|_)', '\\1\\3', $row['Db'])) && substr(PMA_DBI_getError(), 1, 4) != 1044)) {
146 $db_to_create = ereg_replace($re0 . '%', '\\1...', ereg_replace($re0 . '_', '\\1?', $row['Db']));
147 $db_to_create = ereg_replace($re1 . '(%|_)', '\\1\\3', $db_to_create);
148 $is_create_db_priv = true;
149 break;
150 } // end if
151 } // end while
152 PMA_DBI_free_result($rs_usr);
153 unset($rs_usr, $row, $re0, $re1);
154 } else {
155 // Finally, let's try to get the user's privileges by using SHOW
156 // GRANTS...
157 // Maybe we'll find a little CREATE priv there :)
158 $rs_usr = PMA_DBI_try_query('SHOW GRANTS FOR ' . $mysql_cur_user_and_host . ';', $controllink, PMA_DBI_QUERY_STORE);
159 if (!$rs_usr) {
160 // OK, now we'd have to guess the user's hostname, but we
161 // only try out the 'username'@'%' case.
162 $rs_usr = PMA_DBI_try_query('SHOW GRANTS FOR ' . PMA_convert_using(PMA_sqlAddslashes($mysql_cur_user), 'quoted') . ';', $controllink, PMA_DBI_QUERY_STORE);
163 }
164 unset($local_query);
165 if ($rs_usr) {
166 PMA_analyseShowGrant($rs_usr, $is_create_db_priv, $db_to_create, $is_reload_priv, $dbs_where_create_table_allowed);
167 PMA_DBI_free_result($rs_usr);
168 unset($rs_usr);
169 } // end if
170 } // end elseif
171 } // end if
172 } // end else (MySQL < 4.1.2)
173
174 // If disabled, don't show it
175 if (!$cfg['SuggestDBName']) {
176 $db_to_create = '';
177 }
178 ?>
Mirror of official OpenEMR Sourceforge repository