search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix XSS on table comment.
[phpmyadmin/crack.git] / tbl_alter.php
blob5e620d98d61a53e8fd51ba706889aee4cadee98f
1 <?php
2 /* $Id$ */
3 // vim: expandtab sw=4 ts=4 sts=4:
4
5 /**
6 * Gets some core libraries
7 */
8 require_once('./libraries/common.lib.php');
9 require_once('./libraries/Table.class.php');
10
11 $js_to_run = 'functions.js';
12 require_once('./libraries/header.inc.php');
13
14 // Check parameters
15 PMA_checkParameters(array('db', 'table'));
16
17 /**
18 * Gets tables informations
19 */
20 require_once('./libraries/tbl_common.php');
21 require_once('./libraries/tbl_info.inc.php');
22 /**
23 * Displays top menu links
24 */
25 $active_page = 'tbl_structure.php';
26 // I don't see the need to display the links here, they will be displayed later
27 //require('./libraries/tbl_links.inc.php');
28
29
30 /**
31 * Defines the url to return to in case of error in a sql statement
32 */
33 $err_url = 'tbl_structure.php?' . PMA_generate_common_url($db, $table);
34
35
36 /**
37 * Modifications have been submitted -> updates the table
38 */
39 $abort = false;
40 if (isset($do_save_data)) {
41 $field_cnt = count($field_orig);
42 for ($i = 0; $i < $field_cnt; $i++) {
43 // to "&quot;" in tbl_sql.php
44 $field_orig[$i] = urldecode($field_orig[$i]);
45 if (strcmp(str_replace('"', '&quot;', $field_orig[$i]), $field_name[$i]) == 0) {
46 $field_name[$i] = $field_orig[$i];
47 }
48 $field_default_orig[$i] = urldecode($field_default_orig[$i]);
49 if (strcmp(str_replace('"', '&quot;', $field_default_orig[$i]), $field_default[$i]) == 0) {
50 $field_default[$i] = $field_default_orig[$i];
51 }
52 $field_length_orig[$i] = urldecode($field_length_orig[$i]);
53 if (strcmp(str_replace('"', '&quot;', $field_length_orig[$i]), $field_length[$i]) == 0) {
54 $field_length[$i] = $field_length_orig[$i];
55 }
56 if (!isset($query)) {
57 $query = '';
58 } else {
59 $query .= ', CHANGE ';
60 }
61
62 $query .= PMA_Table::generateAlter($field_orig[$i], $field_name[$i], $field_type[$i], $field_length[$i], $field_attribute[$i], isset($field_collation[$i]) ? $field_collation[$i] : '', $field_null[$i], $field_default[$i], isset($field_default_current_timestamp[$i]), $field_extra[$i], (isset($field_comments[$i]) ? $field_comments[$i] : ''), $field_default_orig[$i]);
63 } // end for
64
65 // To allow replication, we first select the db to use and then run queries
66 // on this db.
67 PMA_DBI_select_db($db) or PMA_mysqlDie(PMA_DBI_getError(), 'USE ' . PMA_backquote($db) . ';', '', $err_url);
68 // Optimization fix - 2 May 2001 - Robbat2
69 $sql_query = 'ALTER TABLE ' . PMA_backquote($table) . ' CHANGE ' . $query;
70 $error_create = FALSE;
71 $result = PMA_DBI_try_query($sql_query) or $error_create = TRUE;
72
73 if ($error_create == FALSE) {
74 $message = $strTable . ' ' . htmlspecialchars($table) . ' ' . $strHasBeenAltered;
75 $btnDrop = 'Fake';
76
77 // garvin: If comments were sent, enable relation stuff
78 require_once('./libraries/relation.lib.php');
79 require_once('./libraries/transformations.lib.php');
80
81 $cfgRelation = PMA_getRelationsParam();
82
83 // take care of pmadb internal comments here
84 // garvin: Update comment table, if a comment was set.
85 if (PMA_MYSQL_INT_VERSION < 40100 && isset($field_comments) && is_array($field_comments) && $cfgRelation['commwork']) {
86 foreach ($field_comments AS $fieldindex => $fieldcomment) {
87 if (isset($field_name[$fieldindex]) && strlen($field_name[$fieldindex])) {
88 PMA_setComment($db, $table, $field_name[$fieldindex], $fieldcomment, $field_orig[$fieldindex], 'pmadb');
89 }
90 }
91 }
92
93 // garvin: Rename relations&display fields, if altered.
94 if (($cfgRelation['displaywork'] || $cfgRelation['relwork']) && isset($field_orig) && is_array($field_orig)) {
95 foreach ($field_orig AS $fieldindex => $fieldcontent) {
96 if ($field_name[$fieldindex] != $fieldcontent) {
97 if ($cfgRelation['displaywork']) {
98 $table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_info'])
99 . ' SET display_field = \'' . PMA_sqlAddslashes($field_name[$fieldindex]) . '\''
100 . ' WHERE db_name = \'' . PMA_sqlAddslashes($db) . '\''
101 . ' AND table_name = \'' . PMA_sqlAddslashes($table) . '\''
102 . ' AND display_field = \'' . PMA_sqlAddslashes($fieldcontent) . '\'';
103 $tb_rs = PMA_query_as_cu($table_query);
104 unset($table_query);
105 unset($tb_rs);
106 }
107
108 if ($cfgRelation['relwork']) {
109 $table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['relation'])
110 . ' SET master_field = \'' . PMA_sqlAddslashes($field_name[$fieldindex]) . '\''
111 . ' WHERE master_db = \'' . PMA_sqlAddslashes($db) . '\''
112 . ' AND master_table = \'' . PMA_sqlAddslashes($table) . '\''
113 . ' AND master_field = \'' . PMA_sqlAddslashes($fieldcontent) . '\'';
114 $tb_rs = PMA_query_as_cu($table_query);
115 unset($table_query);
116 unset($tb_rs);
117
118 $table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['relation'])
119 . ' SET foreign_field = \'' . PMA_sqlAddslashes($field_name[$fieldindex]) . '\''
120 . ' WHERE foreign_db = \'' . PMA_sqlAddslashes($db) . '\''
121 . ' AND foreign_table = \'' . PMA_sqlAddslashes($table) . '\''
122 . ' AND foreign_field = \'' . PMA_sqlAddslashes($fieldcontent) . '\'';
123 $tb_rs = PMA_query_as_cu($table_query);
124 unset($table_query);
125 unset($tb_rs);
126 } // end if relwork
127 } // end if fieldname has changed
128 } // end while check fieldnames
129 } // end if relations/display has to be changed
130
131 // garvin: Update comment table for mime types [MIME]
132 if (isset($field_mimetype) && is_array($field_mimetype) && $cfgRelation['commwork'] && $cfgRelation['mimework'] && $cfg['BrowseMIME']) {
133 foreach ($field_mimetype AS $fieldindex => $mimetype) {
134 if (isset($field_name[$fieldindex]) && strlen($field_name[$fieldindex])) {
135 PMA_setMIME($db, $table, $field_name[$fieldindex], $mimetype, $field_transformation[$fieldindex], $field_transformation_options[$fieldindex]);
136 }
137 }
138 }
139
140 $active_page = 'tbl_structure.php';
141 require('./tbl_structure.php');
142 } else {
143 PMA_mysqlDie('', '', '', $err_url, FALSE);
144 // garvin: An error happened while inserting/updating a table definition.
145 // to prevent total loss of that data, we embed the form once again.
146 // The variable $regenerate will be used to restore data in libraries/tbl_properties.inc.php
147 if (isset($orig_field)) {
148 $field = $orig_field;
149 }
150
151 $regenerate = true;
152 }
153 }
154
155 /**
156 * No modifications yet required -> displays the table fields
157 */
158 if ($abort == FALSE) {
159 if (!isset($selected)) {
160 PMA_checkParameters(array('field'));
161 $selected[] = $field;
162 $selected_cnt = 1;
163 } else { // from a multiple submit
164 $selected_cnt = count($selected);
165 }
166
167 /**
168 * @todo optimize in case of multiple fields to modify
169 */
170 for ($i = 0; $i < $selected_cnt; $i++) {
171 if (!empty($submit_mult)) {
172 $field = PMA_sqlAddslashes(urldecode($selected[$i]), TRUE);
173 } else {
174 $field = PMA_sqlAddslashes($selected[$i], TRUE);
175 }
176 $result = PMA_DBI_query('SHOW FULL FIELDS FROM ' . PMA_backquote($table) . ' FROM ' . PMA_backquote($db) . ' LIKE \'' . $field . '\';');
177 $fields_meta[] = PMA_DBI_fetch_assoc($result);
178 PMA_DBI_free_result($result);
179 }
180 $num_fields = count($fields_meta);
181 $action = 'tbl_alter.php';
182
183 // Get more complete field information
184 // For now, this is done just for MySQL 4.1.2+ new TIMESTAMP options
185 // but later, if the analyser returns more information, it
186 // could be executed for any MySQL version and replace
187 // the info given by SHOW FULL FIELDS FROM.
188 /**
189 * @todo put this code into a require()
190 * or maybe make it part of PMA_DBI_get_fields();
191 */
192
193 // We also need this to correctly learn if a TIMESTAMP is NOT NULL, since
194 // SHOW FULL FIELDS says NULL and SHOW CREATE TABLE says NOT NULL (tested
195 // in MySQL 4.0.25).
196
197 $show_create_table = PMA_DBI_fetch_value(
198 'SHOW CREATE TABLE ' . PMA_backquote($db) . '.' . PMA_backquote($table),
199 0, 1 );
200 $analyzed_sql = PMA_SQP_analyze( PMA_SQP_parse( $show_create_table ) );
201
202 require('./libraries/tbl_properties.inc.php');
203 }
204
205
206 /**
207 * Displays the footer
208 */
209 require_once('./libraries/footer.inc.php');
210 ?>
Drizzle / GSOC 2011