sql.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * SQL executor
   5  *
   6  * @todo    we must handle the case if sql.php is called directly with a query
   7  *          that returns 0 rows - to prevent cyclic redirects or includes
   8  * @package PhpMyAdmin
   9  */
  10
  11 /**
  12  * Gets some core libraries
  13  */
  14 require_once 'libraries/common.inc.php';
  15 require_once 'libraries/Table.class.php';
  16 require_once 'libraries/Header.class.php';
  17 require_once 'libraries/check_user_privileges.lib.php';
  18 require_once 'libraries/bookmark.lib.php';
  19 require_once 'libraries/sql.lib.php';
  20 require_once 'libraries/sqlparser.lib.php';
  21 require_once 'libraries/config/page_settings.class.php';
  22
  23 PMA_PageSettings::showGroup('Browse');
  24
  25
  26 $response = PMA_Response::getInstance();
  27 $header   = $response->getHeader();
  28 $scripts  = $header->getScripts();
  29 $scripts->addFile('jquery/jquery-ui-timepicker-addon.js');
  30 $scripts->addFile('jquery/jquery.uitablefilter.js');
  31 $scripts->addFile('tbl_change.js');
  32 $scripts->addFile('indexes.js');
  33 $scripts->addFile('gis_data_editor.js');
  34 $scripts->addFile('multi_column_sort.js');
  35
  36 /**
  37  * Set ajax_reload in the response if it was already set
  38  */
  39 if (isset($ajax_reload) && $ajax_reload['reload'] === true) {
  40     $response->addJSON('ajax_reload', $ajax_reload);
  41 }
  42
  43
  44 /**
  45  * Defines the url to return to in case of error in a sql statement
  46  */
  47 // Security checks
  48 if (! empty($goto)) {
  49     $is_gotofile     = preg_replace('@^([^?]+).*$@s', '\\1', $goto);
  50     if (! @file_exists('' . $is_gotofile)) {
  51         unset($goto);
  52     } else {
  53         $is_gotofile = ($is_gotofile == $goto);
  54     }
  55 } else {
  56     if (empty($table)) {
  57         $goto = PMA_Util::getScriptNameForOption(
  58             $GLOBALS['cfg']['DefaultTabDatabase'], 'database'
  59         );
  60     } else {
  61         $goto = PMA_Util::getScriptNameForOption(
  62             $GLOBALS['cfg']['DefaultTabTable'], 'table'
  63         );
  64     }
  65     $is_gotofile  = true;
  66 } // end if
  67
  68 if (! isset($err_url)) {
  69     $err_url = (! empty($back) ? $back : $goto)
  70         . '?' . PMA_URL_getCommon(array('db' => $GLOBALS['db']))
  71         . ((/*overload*/mb_strpos(' ' . $goto, 'db_') != 1
  72             && /*overload*/mb_strlen($table))
  73             ? '&amp;table=' . urlencode($table)
  74             : ''
  75         );
  76 } // end if
  77
  78 // Coming from a bookmark dialog
  79 if (isset($_POST['bkm_fields']['bkm_sql_query'])) {
  80     $sql_query = $_POST['bkm_fields']['bkm_sql_query'];
  81 } elseif (isset($_GET['sql_query'])) {
  82     $sql_query = $_GET['sql_query'];
  83 }
  84
  85 // This one is just to fill $db
  86 if (isset($_POST['bkm_fields']['bkm_database'])) {
  87     $db = $_POST['bkm_fields']['bkm_database'];
  88 }
  89
  90
  91 // During grid edit, if we have a relational field, show the dropdown for it.
  92 if (isset($_REQUEST['get_relational_values'])
  93     && $_REQUEST['get_relational_values'] == true
  94 ) {
  95     PMA_getRelationalValues($db, $table);
  96     // script has exited at this point
  97 }
  98
  99 // Just like above, find possible values for enum fields during grid edit.
 100 if (isset($_REQUEST['get_enum_values']) && $_REQUEST['get_enum_values'] == true) {
 101     PMA_getEnumOrSetValues($db, $table, "enum");
 102     // script has exited at this point
 103 }
 104
 105
 106 // Find possible values for set fields during grid edit.
 107 if (isset($_REQUEST['get_set_values']) && $_REQUEST['get_set_values'] == true) {
 108     PMA_getEnumOrSetValues($db, $table, "set");
 109     // script has exited at this point
 110 }
 111
 112 if (isset($_REQUEST['get_default_fk_check_value'])
 113     && $_REQUEST['get_default_fk_check_value'] == true
 114 ) {
 115     $response = PMA_Response::getInstance();
 116     $response->addJSON(
 117         'default_fk_check_value', PMA_Util::isForeignKeyCheck()
 118     );
 119     exit;
 120 }
 121
 122 /**
 123  * Check ajax request to set the column order and visibility
 124  */
 125 if (isset($_REQUEST['set_col_prefs']) && $_REQUEST['set_col_prefs'] == true) {
 126     PMA_setColumnOrderOrVisibility($table, $db);
 127     // script has exited at this point
 128 }
 129
 130 // Default to browse if no query set and we have table
 131 // (needed for browsing from DefaultTabTable)
 132 $tableLength = /*overload*/mb_strlen($table);
 133 $dbLength = /*overload*/mb_strlen($db);
 134 if (empty($sql_query) && $tableLength && $dbLength) {
 135     $sql_query = PMA_getDefaultSqlQueryForBrowse($db, $table);
 136
 137     // set $goto to what will be displayed if query returns 0 rows
 138     $goto = '';
 139 } else {
 140     // Now we can check the parameters
 141     PMA_Util::checkParameters(array('sql_query'));
 142 }
 143
 144 /**
 145  * Parse and analyze the query
 146  */
 147 require_once 'libraries/parse_analyze.inc.php';
 148
 149
 150 /**
 151  * Check rights in case of DROP DATABASE
 152  *
 153  * This test may be bypassed if $is_js_confirmed = 1 (already checked with js)
 154  * but since a malicious user may pass this variable by url/form, we don't take
 155  * into account this case.
 156  */
 157 if (PMA_hasNoRightsToDropDatabase(
 158     $analyzed_sql_results, $cfg['AllowUserDropDatabase'], $is_superuser
 159 )) {
 160     PMA_Util::mysqlDie(
 161         __('"DROP DATABASE" statements are disabled.'),
 162         '',
 163         false,
 164         $err_url
 165     );
 166 } // end if
 167
 168 /**
 169  * Need to find the real end of rows?
 170  */
 171 if (isset($find_real_end) && $find_real_end) {
 172     $unlim_num_rows = PMA_findRealEndOfRows($db, $table);
 173 }
 174
 175
 176 /**
 177  * Bookmark add
 178  */
 179 if (isset($_POST['store_bkm'])) {
 180     PMA_addBookmark($cfg['PmaAbsoluteUri'], $goto);
 181     // script has exited at this point
 182 } // end if
 183
 184
 185 /**
 186  * Sets or modifies the $goto variable if required
 187  */
 188 if ($goto == 'sql.php') {
 189     $is_gotofile = false;
 190     $goto = 'sql.php' . PMA_URL_getCommon(
 191         array(
 192             'db' => $db,
 193             'table' => $table,
 194             'sql_query' => $sql_query
 195         )
 196     );
 197 } // end if
 198
 199 PMA_executeQueryAndSendQueryResponse(
 200     $analyzed_sql_results,
 201     $is_gotofile,
 202     $db,
 203     $table,
 204     isset($find_real_end) ? $find_real_end : null,
 205     isset($import_text) ? $import_text : null,
 206     isset($extra_data) ? $extra_data : null,
 207     $is_affected,
 208     isset($message_to_show) ? $message_to_show : null,
 209     isset($message) ? $message : null,
 210     isset($sql_data) ? $sql_data : null,
 211     $goto,
 212     $pmaThemeImage,
 213     isset($disp_query) ? $display_query : null,
 214     isset($disp_message) ? $disp_message : null,
 215     isset($query_type) ? $query_type : null,
 216     $sql_query,
 217     isset($selected) ? $selected : null,
 218     isset($complete_query) ? $complete_query : null
 219 );