sql.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * SQL executor
   5  *
   6  * @todo    we must handle the case if sql.php is called directly with a query
   7  *          that returns 0 rows - to prevent cyclic redirects or includes
   8  * @package PhpMyAdmin
   9  */
  10 declare(strict_types=1);
  11
  12 use PhpMyAdmin\CheckUserPrivileges;
  13 use PhpMyAdmin\Config\PageSettings;
  14 use PhpMyAdmin\DatabaseInterface;
  15 use PhpMyAdmin\Di\Container;
  16 use PhpMyAdmin\ParseAnalyze;
  17 use PhpMyAdmin\Response;
  18 use PhpMyAdmin\Sql;
  19 use PhpMyAdmin\Url;
  20 use PhpMyAdmin\Util;
  21
  22 if (! defined('ROOT_PATH')) {
  23     define('ROOT_PATH', __DIR__ . DIRECTORY_SEPARATOR);
  24 }
  25
  26 /**
  27  * Gets some core libraries
  28  */
  29 require_once ROOT_PATH . 'libraries/common.inc.php';
  30
  31 $container = Container::getDefaultContainer();
  32 $container->set(Response::class, Response::getInstance());
  33
  34 /** @var Response $response */
  35 $response = $container->get(Response::class);
  36
  37 /** @var DatabaseInterface $dbi */
  38 $dbi = $container->get(DatabaseInterface::class);
  39
  40 $checkUserPrivileges = new CheckUserPrivileges($dbi);
  41 $checkUserPrivileges->getPrivileges();
  42
  43 PageSettings::showGroup('Browse');
  44
  45 $header = $response->getHeader();
  46 $scripts = $header->getScripts();
  47 $scripts->addFile('vendor/jquery/jquery.uitablefilter.js');
  48 $scripts->addFile('tbl_change.js');
  49 $scripts->addFile('indexes.js');
  50 $scripts->addFile('gis_data_editor.js');
  51 $scripts->addFile('multi_column_sort.js');
  52
  53 $sql = new Sql();
  54
  55 /**
  56  * Set ajax_reload in the response if it was already set
  57  */
  58 if (isset($ajax_reload) && $ajax_reload['reload'] === true) {
  59     $response->addJSON('ajax_reload', $ajax_reload);
  60 }
  61
  62 /**
  63  * Defines the url to return to in case of error in a sql statement
  64  */
  65 $is_gotofile  = true;
  66 if (empty($goto)) {
  67     if (empty($table)) {
  68         $goto = Util::getScriptNameForOption(
  69             $GLOBALS['cfg']['DefaultTabDatabase'],
  70             'database'
  71         );
  72     } else {
  73         $goto = Util::getScriptNameForOption(
  74             $GLOBALS['cfg']['DefaultTabTable'],
  75             'table'
  76         );
  77     }
  78 } // end if
  79
  80 if (! isset($err_url)) {
  81     $err_url = (! empty($back) ? $back : $goto)
  82         . '?' . Url::getCommon(['db' => $GLOBALS['db']])
  83         . ((mb_strpos(' ' . $goto, 'db_') != 1
  84             && strlen($table) > 0)
  85             ? '&amp;table=' . urlencode($table)
  86             : ''
  87         );
  88 } // end if
  89
  90 // Coming from a bookmark dialog
  91 if (isset($_POST['bkm_fields']['bkm_sql_query'])) {
  92     $sql_query = $_POST['bkm_fields']['bkm_sql_query'];
  93 } elseif (isset($_POST['sql_query'])) {
  94     $sql_query = $_POST['sql_query'];
  95 }
  96
  97 // This one is just to fill $db
  98 if (isset($_POST['bkm_fields']['bkm_database'])) {
  99     $db = $_POST['bkm_fields']['bkm_database'];
 100 }
 101
 102 // During grid edit, if we have a relational field, show the dropdown for it.
 103 if (isset($_POST['get_relational_values'])
 104     && $_POST['get_relational_values'] == true
 105 ) {
 106     $sql->getRelationalValues($db, $table);
 107     // script has exited at this point
 108 }
 109
 110 // Just like above, find possible values for enum fields during grid edit.
 111 if (isset($_POST['get_enum_values']) && $_POST['get_enum_values'] == true) {
 112     $sql->getEnumOrSetValues($db, $table, "enum");
 113     // script has exited at this point
 114 }
 115
 116
 117 // Find possible values for set fields during grid edit.
 118 if (isset($_POST['get_set_values']) && $_POST['get_set_values'] == true) {
 119     $sql->getEnumOrSetValues($db, $table, "set");
 120     // script has exited at this point
 121 }
 122
 123 if (isset($_GET['get_default_fk_check_value'])
 124     && $_GET['get_default_fk_check_value'] == true
 125 ) {
 126     $response = Response::getInstance();
 127     $response->addJSON(
 128         'default_fk_check_value',
 129         Util::isForeignKeyCheck()
 130     );
 131     exit;
 132 }
 133
 134 /**
 135  * Check ajax request to set the column order and visibility
 136  */
 137 if (isset($_POST['set_col_prefs']) && $_POST['set_col_prefs'] == true) {
 138     $sql->setColumnOrderOrVisibility($table, $db);
 139     // script has exited at this point
 140 }
 141
 142 // Default to browse if no query set and we have table
 143 // (needed for browsing from DefaultTabTable)
 144 if (empty($sql_query) && strlen($table) > 0 && strlen($db) > 0) {
 145     $sql_query = $sql->getDefaultSqlQueryForBrowse($db, $table);
 146
 147     // set $goto to what will be displayed if query returns 0 rows
 148     $goto = '';
 149 } else {
 150     // Now we can check the parameters
 151     Util::checkParameters(['sql_query']);
 152 }
 153
 154 /**
 155  * Parse and analyze the query
 156  */
 157 list(
 158     $analyzed_sql_results,
 159     $db,
 160     $table_from_sql
 161 ) = ParseAnalyze::sqlQuery($sql_query, $db);
 162 // @todo: possibly refactor
 163 extract($analyzed_sql_results);
 164
 165 if ($table != $table_from_sql && ! empty($table_from_sql)) {
 166     $table = $table_from_sql;
 167 }
 168
 169
 170 /**
 171  * Check rights in case of DROP DATABASE
 172  *
 173  * This test may be bypassed if $is_js_confirmed = 1 (already checked with js)
 174  * but since a malicious user may pass this variable by url/form, we don't take
 175  * into account this case.
 176  */
 177 if ($sql->hasNoRightsToDropDatabase(
 178     $analyzed_sql_results,
 179     $cfg['AllowUserDropDatabase'],
 180     $dbi->isSuperuser()
 181 )) {
 182     Util::mysqlDie(
 183         __('"DROP DATABASE" statements are disabled.'),
 184         '',
 185         false,
 186         $err_url
 187     );
 188 } // end if
 189
 190 /**
 191  * Need to find the real end of rows?
 192  */
 193 if (isset($find_real_end) && $find_real_end) {
 194     $unlim_num_rows = $sql->findRealEndOfRows($db, $table);
 195 }
 196
 197
 198 /**
 199  * Bookmark add
 200  */
 201 if (isset($_POST['store_bkm'])) {
 202     $sql->addBookmark($goto);
 203     // script has exited at this point
 204 } // end if
 205
 206
 207 /**
 208  * Sets or modifies the $goto variable if required
 209  */
 210 if ($goto == 'sql.php') {
 211     $is_gotofile = false;
 212     $goto = 'sql.php' . Url::getCommon(
 213         [
 214             'db' => $db,
 215             'table' => $table,
 216             'sql_query' => $sql_query,
 217         ]
 218     );
 219 } // end if
 220
 221 $sql->executeQueryAndSendQueryResponse(
 222     $analyzed_sql_results, // analyzed_sql_results
 223     $is_gotofile, // is_gotofile
 224     $db, // db
 225     $table, // table
 226     isset($find_real_end) ? $find_real_end : null, // find_real_end
 227     isset($import_text) ? $import_text : null, // sql_query_for_bookmark
 228     isset($extra_data) ? $extra_data : null, // extra_data
 229     isset($message_to_show) ? $message_to_show : null, // message_to_show
 230     isset($message) ? $message : null, // message
 231     isset($sql_data) ? $sql_data : null, // sql_data
 232     $goto, // goto
 233     $pmaThemeImage, // pmaThemeImage
 234     isset($disp_query) ? $display_query : null, // disp_query
 235     isset($disp_message) ? $disp_message : null, // disp_message
 236     isset($query_type) ? $query_type : null, // query_type
 237     $sql_query, // sql_query
 238     isset($selected) ? $selected : null, // selectedTables
 239     isset($complete_query) ? $complete_query : null // complete_query
 240 );