search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Properly escape names in PMA_isView
[phpmyadmin.git] / db_search.php
bloba91bf875218f9d7358d6be3581411f870d140984
1 <?php
2 /* vim: set expandtab sw=4 ts=4 sts=4: */
3 /**
4 * searchs the entire database
5 *
6 * @todo make use of UNION when searching multiple tables
7 * @todo display executed query, optional?
8 * @uses $cfg['UseDbSearch']
9 * @uses $GLOBALS['db']
10 * @uses PMA_DBI_get_tables()
11 * @uses PMA_sqlAddslashes()
12 * @uses PMA_getSearchSqls()
13 * @uses PMA_DBI_fetch_value()
14 * @uses PMA_linkOrButton()
15 * @uses PMA_generate_common_url()
16 * @uses PMA_generate_common_hidden_inputs()
17 * @uses PMA_showMySQLDocu()
18 * @uses $_REQUEST['search_str']
19 * @uses $_REQUEST['submit_search']
20 * @uses $_REQUEST['search_option']
21 * @uses $_REQUEST['table_select']
22 * @uses $_REQUEST['unselectall']
23 * @uses $_REQUEST['selectall']
24 * @uses $_REQUEST['field_str']
25 * @uses is_string()
26 * @uses htmlspecialchars()
27 * @uses array_key_exists()
28 * @uses is_array()
29 * @uses array_intersect()
30 * @uses sprintf()
31 * @uses in_array()
32 * @package phpMyAdmin
33 */
34
35 /**
36 *
37 */
38 require_once './libraries/common.inc.php';
39
40 $GLOBALS['js_include'][] = 'db_search.js';
41 $GLOBALS['js_include'][] = 'sql.js';
42 $GLOBALS['js_include'][] = 'makegrid.js';
43
44 /**
45 * Gets some core libraries and send headers
46 */
47 require './libraries/db_common.inc.php';
48
49 /**
50 * init
51 */
52 // If config variable $GLOBALS['cfg']['Usedbsearch'] is on false : exit.
53 if (! $GLOBALS['cfg']['UseDbSearch']) {
54 PMA_mysqlDie(__('Access denied'), '', false, $err_url);
55 } // end if
56 $url_query .= '&amp;goto=db_search.php';
57 $url_params['goto'] = 'db_search.php';
58
59 /**
60 * @global array list of tables from the current database
61 * but do not clash with $tables coming from db_info.inc.php
62 */
63 $tables_names_only = PMA_DBI_get_tables($GLOBALS['db']);
64
65 $search_options = array(
66 '1' => __('at least one of the words'),
67 '2' => __('all words'),
68 '3' => __('the exact phrase'),
69 '4' => __('as regular expression'),
70 );
71
72 if (empty($_REQUEST['search_option']) || ! is_string($_REQUEST['search_option'])
73 || ! array_key_exists($_REQUEST['search_option'], $search_options)) {
74 $search_option = 1;
75 unset($_REQUEST['submit_search']);
76 } else {
77 $search_option = (int) $_REQUEST['search_option'];
78 $option_str = $search_options[$_REQUEST['search_option']];
79 }
80
81 if (empty($_REQUEST['search_str']) || ! is_string($_REQUEST['search_str'])) {
82 unset($_REQUEST['submit_search']);
83 $searched = '';
84 } else {
85 $searched = htmlspecialchars($_REQUEST['search_str']);
86 // For "as regular expression" (search option 4), we should not treat
87 // this as an expression that contains a LIKE (second parameter of
88 // PMA_sqlAddslashes()).
89 //
90 // Usage example: If user is seaching for a literal $ in a regexp search,
91 // he should enter \$ as the value.
92 $search_str = PMA_sqlAddslashes($_REQUEST['search_str'], ($search_option == 4 ? false : true));
93 }
94
95 $tables_selected = array();
96 if (empty($_REQUEST['table_select']) || ! is_array($_REQUEST['table_select'])) {
97 unset($_REQUEST['submit_search']);
98 } elseif (! isset($_REQUEST['selectall']) && ! isset($_REQUEST['unselectall'])) {
99 $tables_selected = array_intersect($_REQUEST['table_select'], $tables_names_only);
100 }
101
102 if (isset($_REQUEST['selectall'])) {
103 $tables_selected = $tables_names_only;
104 } elseif (isset($_REQUEST['unselectall'])) {
105 $tables_selected = array();
106 }
107
108 if (empty($_REQUEST['field_str']) || ! is_string($_REQUEST['field_str'])) {
109 unset($field_str);
110 } else {
111 $field_str = PMA_sqlAddslashes($_REQUEST['field_str'], true);
112 }
113
114 /**
115 * Displays top links if we are not in an Ajax request
116 */
117 $sub_part = '';
118
119 if( $GLOBALS['is_ajax_request'] != true) {
120 require './libraries/db_info.inc.php';
121 echo '<div id="searchresults">';
122 }
123
124 /**
125 * 1. Main search form has been submitted
126 */
127 if (isset($_REQUEST['submit_search'])) {
128
129 /**
130 * Builds the SQL search query
131 *
132 * @todo can we make use of fulltextsearch IN BOOLEAN MODE for this?
133 * @uses PMA_DBI_query
134 * PMA_backquote
135 * PMA_DBI_free_result
136 * PMA_DBI_fetch_assoc
137 * $GLOBALS['db']
138 * explode
139 * count
140 * strlen
141 * @param string the table name
142 * @param string restrict the search to this field
143 * @param string the string to search
144 * @param integer type of search (1 -> 1 word at least, 2 -> all words,
145 * 3 -> exact string, 4 -> regexp)
146 *
147 * @return array 3 SQL querys (for count, display and delete results)
148 *
149 * @global string the url to return to in case of errors
150 * @global string charset connection
151 */
152 function PMA_getSearchSqls($table, $field, $search_str, $search_option)
153 {
154 global $err_url;
155
156 // Statement types
157 $sqlstr_select = 'SELECT';
158 $sqlstr_delete = 'DELETE';
159
160 // Fields to select
161 $tblfields = PMA_DBI_fetch_result('SHOW FIELDS FROM ' . PMA_backquote($table) . ' FROM ' . PMA_backquote($GLOBALS['db']),
162 null, 'Field');
163
164 // Table to use
165 $sqlstr_from = ' FROM ' . PMA_backquote($GLOBALS['db']) . '.' . PMA_backquote($table);
166
167 $search_words = (($search_option > 2) ? array($search_str) : explode(' ', $search_str));
168 $search_wds_cnt = count($search_words);
169
170 $like_or_regex = (($search_option == 4) ? 'REGEXP' : 'LIKE');
171 $automatic_wildcard = (($search_option < 3) ? '%' : '');
172
173 $fieldslikevalues = array();
174 foreach ($search_words as $search_word) {
175 // Eliminates empty values
176 if (strlen($search_word) === 0) {
177 continue;
178 }
179
180 $thefieldlikevalue = array();
181 foreach ($tblfields as $tblfield) {
182 if (! isset($field) || strlen($field) == 0 || $tblfield == $field) {
183 $thefieldlikevalue[] = 'CONVERT(' . PMA_backquote($tblfield) . ' USING utf8)'
184 . ' ' . $like_or_regex . ' '
185 . "'" . $automatic_wildcard
186 . $search_word
187 . $automatic_wildcard . "'";
188 }
189 } // end for
190
191 if (count($thefieldlikevalue) > 0) {
192 $fieldslikevalues[] = implode(' OR ', $thefieldlikevalue);
193 }
194 } // end for
195
196 $implode_str = ($search_option == 1 ? ' OR ' : ' AND ');
197 if ( empty($fieldslikevalues)) {
198 // this could happen when the "inside field" does not exist
199 // in any selected tables
200 $sqlstr_where = ' WHERE FALSE';
201 } else {
202 $sqlstr_where = ' WHERE (' . implode(') ' . $implode_str . ' (', $fieldslikevalues) . ')';
203 }
204 unset($fieldslikevalues);
205
206 // Builds complete queries
207 $sql['select_fields'] = $sqlstr_select . ' * ' . $sqlstr_from . $sqlstr_where;
208 // here, I think we need to still use the COUNT clause, even for
209 // VIEWs, anyway we have a WHERE clause that should limit results
210 $sql['select_count'] = $sqlstr_select . ' COUNT(*) AS `count`' . $sqlstr_from . $sqlstr_where;
211 $sql['delete'] = $sqlstr_delete . $sqlstr_from . $sqlstr_where;
212
213 return $sql;
214 } // end of the "PMA_getSearchSqls()" function
215
216
217 /**
218 * Displays the results
219 */
220 $this_url_params = array(
221 'db' => $GLOBALS['db'],
222 'goto' => 'db_sql.php',
223 'pos' => 0,
224 'is_js_confirmed' => 0,
225 );
226
227 // Displays search string
228 echo '<br />' . "\n"
229 .'<table class="data">' . "\n"
230 .'<caption class="tblHeaders">' . "\n"
231 .sprintf(__('Search results for "<i>%s</i>" %s:'),
232 $searched, $option_str) . "\n"
233 .'</caption>' . "\n";
234
235 $num_search_result_total = 0;
236 $odd_row = true;
237
238 foreach ($tables_selected as $each_table) {
239 // Gets the SQL statements
240 $newsearchsqls = PMA_getSearchSqls($each_table, (! empty($field_str) ? $field_str : ''), $search_str, $search_option);
241
242 // Executes the "COUNT" statement
243 $res_cnt = PMA_DBI_fetch_value($newsearchsqls['select_count']);
244 $num_search_result_total += $res_cnt;
245
246 $sql_query .= $newsearchsqls['select_count'];
247
248 echo '<tr class="noclick ' . ($odd_row ? 'odd' : 'even') . '">'
249 .'<td>' . sprintf(_ngettext('%s match inside table <i>%s</i>', '%s matches inside table <i>%s</i>', $res_cnt), $res_cnt,
250 htmlspecialchars($each_table)) . "</td>\n";
251
252 if ($res_cnt > 0) {
253 $this_url_params['sql_query'] = $newsearchsqls['select_fields'];
254 $browse_result_path = 'sql.php' . PMA_generate_common_url($this_url_params);
255 ?>
256 <td> <a name="browse_search" href="<?php echo $browse_result_path; ?>" onclick="loadResult('<?php echo $browse_result_path ?> ',' <?php echo $each_table?> ' , '<?php echo PMA_generate_common_url($GLOBALS['db'], $each_table)?>','<?php echo ($GLOBALS['cfg']['AjaxEnable']); ?>');return false;" ><?php echo __('Browse') ?></a> </td>
257 <?php
258 $this_url_params['sql_query'] = $newsearchsqls['delete'];
259 $delete_result_path = 'sql.php' . PMA_generate_common_url($this_url_params);
260 ?>
261 <td> <a name="delete_search" href="<?php echo $delete_result_path; ?>" onclick="deleteResult('<?php echo $delete_result_path ?>' , ' <?php printf(__('Delete the matches for the %s table?'), htmlspecialchars($each_table)); ?>','<?php echo ($GLOBALS['cfg']['AjaxEnable']); ?>');return false;" ><?php echo __('Delete') ?></a> </td>
262 <?php
263 } else {
264 echo '<td>&nbsp;</td>' . "\n"
265 .'<td>&nbsp;</td>' . "\n";
266 }// end if else
267 $odd_row = ! $odd_row;
268 echo '</tr>' . "\n";
269 } // end for
270
271 echo '</table>' . "\n";
272
273 if (count($tables_selected) > 1) {
274 echo '<p>' . sprintf(_ngettext('<b>Total:</b> <i>%s</i> match', '<b>Total:</b> <i>%s</i> matches', $num_search_result_total),
275 $num_search_result_total) . '</p>' . "\n";
276 }
277 } // end 1.
278
279 /**
280 * If we are in an Ajax request, we need to exit after displaying all the HTML
281 */
282 if($GLOBALS['is_ajax_request'] == true) {
283 exit;
284 }
285 else {
286 echo '</div>';//end searchresults div
287 }
288
289 /**
290 * 2. Displays the main search form
291 */
292 ?>
293 <a name="db_search"></a>
294 <form id="db_search_form"<?php echo ($GLOBALS['cfg']['AjaxEnable'] ? ' class="ajax"' : ''); ?> method="post" action="db_search.php" name="db_search">
295 <?php echo PMA_generate_common_hidden_inputs($GLOBALS['db']); ?>
296 <fieldset>
297 <legend><?php echo __('Search in database'); ?></legend>
298
299 <table class="formlayout">
300 <tr><td><?php echo __('Word(s) or value(s) to search for (wildcard: "%"):'); ?></td>
301 <td><input type="text" name="search_str" size="60"
302 value="<?php echo $searched; ?>" /></td>
303 </tr>
304 <tr><td align="right" valign="top">
305 <?php echo __('Find:'); ?></td>
306 <td><?php
307
308 $choices = array(
309 '1' => __('at least one of the words') . PMA_showHint(__('Words are separated by a space character (" ").')),
310 '2' => __('all words') . PMA_showHint(__('Words are separated by a space character (" ").')),
311 '3' => __('the exact phrase'),
312 '4' => __('as regular expression') . ' ' . PMA_showMySQLDocu('Regexp', 'Regexp')
313 );
314 // 4th parameter set to true to add line breaks
315 // 5th parameter set to false to avoid htmlspecialchars() escaping in the label
316 // since we have some HTML in some labels
317 PMA_display_html_radio('search_option', $choices, $search_option, true, false);
318 unset($choices);
319 ?>
320 </td>
321 </tr>
322 <tr><td align="right" valign="top">
323 <?php echo __('Inside table(s):'); ?></td>
324 <td rowspan="2">
325 <?php
326 echo ' <select name="table_select[]" size="6" multiple="multiple">' . "\n";
327 foreach ($tables_names_only as $each_table) {
328 if (in_array($each_table, $tables_selected)) {
329 $is_selected = ' selected="selected"';
330 } else {
331 $is_selected = '';
332 }
333
334 echo ' <option value="' . htmlspecialchars($each_table) . '"'
335 . $is_selected . '>'
336 . str_replace(' ', '&nbsp;', htmlspecialchars($each_table)) . '</option>' . "\n";
337 } // end while
338
339 echo ' </select>' . "\n";
340 $alter_select =
341 '<a href="db_search.php' . PMA_generate_common_url(array_merge($url_params, array('selectall' => 1))) . '#db_search"'
342 . ' onclick="setSelectOptions(\'db_search\', \'table_select[]\', true); return false;">' . __('Select All') . '</a>'
343 . '&nbsp;/&nbsp;'
344 . '<a href="db_search.php' . PMA_generate_common_url(array_merge($url_params, array('unselectall' => 1))) . '#db_search"'
345 . ' onclick="setSelectOptions(\'db_search\', \'table_select[]\', false); return false;">' . __('Unselect All') . '</a>';
346 ?>
347 </td>
348 </tr>
349 <tr><td align="right" valign="bottom">
350 <?php echo $alter_select; ?></td>
351 </tr>
352 <tr><td align="right">
353 <?php echo __('Inside column:'); ?></td>
354 <td><input type="text" name="field_str" size="60"
355 value="<?php echo ! empty($field_str) ? htmlspecialchars($field_str) : ''; ?>" /></td>
356 </tr>
357 </table>
358 </fieldset>
359 <fieldset class="tblFooters">
360 <input type="submit" name="submit_search" value="<?php echo __('Go'); ?>"
361 id="buttonGo" />
362 </fieldset>
363 </form>
364
365 <!-- These two table-image and table-link elements display the table name in browse search results -->
366 <div id='table-info'>
367 <a class="item" id="table-link" ></a>
368 </div>
369 <div id="browse-results">
370 <!-- this browse-results div is used to load the browse and delete results in the db search -->
371 </div>
372 <br class="clearfloat" />
373 <div id="sqlqueryform">
374 <!-- this sqlqueryform div is used to load the delete form in the db search -->
375 </div>
376 <!-- toggle query box link-->
377 <a id="togglequerybox"></a>
378
379 <?php
380 /**
381 * Displays the footer
382 */
383 require './libraries/footer.inc.php';
384 ?>
phpMyAdmin