sql.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * SQL executor
   5  *
   6  * @todo    we must handle the case if sql.php is called directly with a query
   7  *          that returns 0 rows - to prevent cyclic redirects or includes
   8  * @package PhpMyAdmin
   9  */
  10 declare(strict_types=1);
  11
  12 use PhpMyAdmin\CheckUserPrivileges;
  13 use PhpMyAdmin\Config\PageSettings;
  14 use PhpMyAdmin\DatabaseInterface;
  15 use PhpMyAdmin\ParseAnalyze;
  16 use PhpMyAdmin\Response;
  17 use PhpMyAdmin\Sql;
  18 use PhpMyAdmin\Url;
  19 use PhpMyAdmin\Util;
  20 use PhpMyAdmin\Core;
  21
  22 if (! defined('ROOT_PATH')) {
  23     define('ROOT_PATH', __DIR__ . DIRECTORY_SEPARATOR);
  24 }
  25
  26 global $cfg, $containerBuilder, $pmaThemeImage;
  27
  28 require_once ROOT_PATH . 'libraries/common.inc.php';
  29
  30 /** @var Response $response */
  31 $response = $containerBuilder->get(Response::class);
  32
  33 /** @var DatabaseInterface $dbi */
  34 $dbi = $containerBuilder->get(DatabaseInterface::class);
  35
  36 /** @var CheckUserPrivileges $checkUserPrivileges */
  37 $checkUserPrivileges = $containerBuilder->get('check_user_privileges');
  38 $checkUserPrivileges->getPrivileges();
  39
  40 PageSettings::showGroup('Browse');
  41
  42 $header = $response->getHeader();
  43 $scripts = $header->getScripts();
  44 $scripts->addFile('vendor/jquery/jquery.uitablefilter.js');
  45 $scripts->addFile('table/change.js');
  46 $scripts->addFile('indexes.js');
  47 $scripts->addFile('gis_data_editor.js');
  48 $scripts->addFile('multi_column_sort.js');
  49
  50 /** @var Sql $sql */
  51 $sql = $containerBuilder->get('sql');
  52
  53 /**
  54  * Set ajax_reload in the response if it was already set
  55  */
  56 if (isset($ajax_reload) && $ajax_reload['reload'] === true) {
  57     $response->addJSON('ajax_reload', $ajax_reload);
  58 }
  59
  60 /**
  61  * Defines the url to return to in case of error in a sql statement
  62  */
  63 $is_gotofile  = true;
  64 if (empty($goto)) {
  65     if (empty($table)) {
  66         $goto = Util::getScriptNameForOption(
  67             $cfg['DefaultTabDatabase'],
  68             'database'
  69         );
  70     } else {
  71         $goto = Util::getScriptNameForOption(
  72             $cfg['DefaultTabTable'],
  73             'table'
  74         );
  75     }
  76 } // end if
  77
  78 if (! isset($err_url)) {
  79     $err_url = (! empty($back) ? $back : $goto)
  80         . '?' . Url::getCommon(['db' => $GLOBALS['db']])
  81         . ((mb_strpos(' ' . $goto, 'db_') != 1
  82             && strlen($table) > 0)
  83             ? '&amp;table=' . urlencode($table)
  84             : ''
  85         );
  86 } // end if
  87
  88 // Coming from a bookmark dialog
  89 if (isset($_POST['bkm_fields']['bkm_sql_query'])) {
  90     $sql_query = $_POST['bkm_fields']['bkm_sql_query'];
  91 } elseif (isset($_POST['sql_query'])) {
  92     $sql_query = $_POST['sql_query'];
  93 } elseif (isset($_GET['sql_query']) && isset($_GET['sql_signature'])) {
  94     if (Core::checkSqlQuerySignature($_GET['sql_query'], $_GET['sql_signature'])) {
  95         $sql_query = $_GET['sql_query'];
  96     }
  97 }
  98
  99 // This one is just to fill $db
 100 if (isset($_POST['bkm_fields']['bkm_database'])) {
 101     $db = $_POST['bkm_fields']['bkm_database'];
 102 }
 103
 104 // During grid edit, if we have a relational field, show the dropdown for it.
 105 if (isset($_POST['get_relational_values'])
 106     && $_POST['get_relational_values'] == true
 107 ) {
 108     $sql->getRelationalValues($db, $table);
 109     // script has exited at this point
 110 }
 111
 112 // Just like above, find possible values for enum fields during grid edit.
 113 if (isset($_POST['get_enum_values']) && $_POST['get_enum_values'] == true) {
 114     $sql->getEnumOrSetValues($db, $table, "enum");
 115     // script has exited at this point
 116 }
 117
 118
 119 // Find possible values for set fields during grid edit.
 120 if (isset($_POST['get_set_values']) && $_POST['get_set_values'] == true) {
 121     $sql->getEnumOrSetValues($db, $table, "set");
 122     // script has exited at this point
 123 }
 124
 125 if (isset($_GET['get_default_fk_check_value'])
 126     && $_GET['get_default_fk_check_value'] == true
 127 ) {
 128     $response = Response::getInstance();
 129     $response->addJSON(
 130         'default_fk_check_value',
 131         Util::isForeignKeyCheck()
 132     );
 133     exit;
 134 }
 135
 136 /**
 137  * Check ajax request to set the column order and visibility
 138  */
 139 if (isset($_POST['set_col_prefs']) && $_POST['set_col_prefs'] == true) {
 140     $sql->setColumnOrderOrVisibility($table, $db);
 141     // script has exited at this point
 142 }
 143
 144 // Default to browse if no query set and we have table
 145 // (needed for browsing from DefaultTabTable)
 146 if (empty($sql_query) && strlen($table) > 0 && strlen($db) > 0) {
 147     $sql_query = $sql->getDefaultSqlQueryForBrowse($db, $table);
 148
 149     // set $goto to what will be displayed if query returns 0 rows
 150     $goto = '';
 151 } else {
 152     // Now we can check the parameters
 153     Util::checkParameters(['sql_query']);
 154 }
 155
 156 /**
 157  * Parse and analyze the query
 158  */
 159 list(
 160     $analyzed_sql_results,
 161     $db,
 162     $table_from_sql
 163 ) = ParseAnalyze::sqlQuery($sql_query, $db);
 164 // @todo: possibly refactor
 165 extract($analyzed_sql_results);
 166
 167 if ($table != $table_from_sql && ! empty($table_from_sql)) {
 168     $table = $table_from_sql;
 169 }
 170
 171
 172 /**
 173  * Check rights in case of DROP DATABASE
 174  *
 175  * This test may be bypassed if $is_js_confirmed = 1 (already checked with js)
 176  * but since a malicious user may pass this variable by url/form, we don't take
 177  * into account this case.
 178  */
 179 if ($sql->hasNoRightsToDropDatabase(
 180     $analyzed_sql_results,
 181     $cfg['AllowUserDropDatabase'],
 182     $dbi->isSuperuser()
 183 )) {
 184     Util::mysqlDie(
 185         __('"DROP DATABASE" statements are disabled.'),
 186         '',
 187         false,
 188         $err_url
 189     );
 190 } // end if
 191
 192 /**
 193  * Need to find the real end of rows?
 194  */
 195 if (isset($find_real_end) && $find_real_end) {
 196     $unlim_num_rows = $sql->findRealEndOfRows($db, $table);
 197 }
 198
 199
 200 /**
 201  * Bookmark add
 202  */
 203 if (isset($_POST['store_bkm'])) {
 204     $sql->addBookmark($goto);
 205     // script has exited at this point
 206 } // end if
 207
 208
 209 /**
 210  * Sets or modifies the $goto variable if required
 211  */
 212 if ($goto == 'sql.php') {
 213     $is_gotofile = false;
 214     $goto = 'sql.php' . Url::getCommon(
 215         [
 216             'db' => $db,
 217             'table' => $table,
 218             'sql_query' => $sql_query,
 219         ]
 220     );
 221 } // end if
 222
 223 $sql->executeQueryAndSendQueryResponse(
 224     $analyzed_sql_results, // analyzed_sql_results
 225     $is_gotofile, // is_gotofile
 226     $db, // db
 227     $table, // table
 228     isset($find_real_end) ? $find_real_end : null, // find_real_end
 229     isset($import_text) ? $import_text : null, // sql_query_for_bookmark
 230     isset($extra_data) ? $extra_data : null, // extra_data
 231     isset($message_to_show) ? $message_to_show : null, // message_to_show
 232     isset($message) ? $message : null, // message
 233     isset($sql_data) ? $sql_data : null, // sql_data
 234     $goto, // goto
 235     $pmaThemeImage, // pmaThemeImage
 236     isset($disp_query) ? $display_query : null, // disp_query
 237     isset($disp_message) ? $disp_message : null, // disp_message
 238     isset($query_type) ? $query_type : null, // query_type
 239     $sql_query, // sql_query
 240     isset($selected) ? $selected : null, // selectedTables
 241     isset($complete_query) ? $complete_query : null // complete_query
 242 );