search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Protect against php code input from user (bug #1530370).
[phpmyadmin/crack.git] / main.php
blob121fe4052620f3fa2c3ce0e63b043be760a20ca9
1 <?php
2 /* $Id$ */
3 // vim: expandtab sw=4 ts=4 sts=4:
4
5 /**
6 * Don't display the page heading
7 */
8 if (!defined('PMA_DISPLAY_HEADING')) {
9 define('PMA_DISPLAY_HEADING', 0);
10 }
11
12 /**
13 * Gets some core libraries and displays a top message if required
14 */
15 require_once './libraries/common.lib.php';
16
17 // Handles some variables that may have been sent by the calling script
18 if (isset($db)) {
19 unset($db);
20 }
21 if (isset($table)) {
22 unset($table);
23 }
24 $show_query = '1';
25 require_once './libraries/header.inc.php';
26
27 // Any message to display?
28 if (! empty($message)) {
29 PMA_showMessage($message);
30 unset($message);
31 }
32
33 $common_url_query = PMA_generate_common_url('', '');
34
35 // this div is required for containing divs can be 50%
36 echo '<div id="maincontainer">' . "\n";
37
38 /**
39 * Displays the mysql server related links
40 */
41 if ($server > 0) {
42
43 require_once './libraries/check_user_privileges.lib.php';
44 // why this? a non-priv user should be able to change his
45 // password if the configuration permits
46 //$cfg['ShowChgPassword'] = $is_superuser = PMA_isSuperuser();
47 $is_superuser = PMA_isSuperuser();
48
49 if ($cfg['Server']['auth_type'] == 'config') {
50 $cfg['ShowChgPassword'] = false;
51 }
52 }
53 ?>
54
55 <div id="mysqlmaininformation">
56 <?php
57 if ($server > 0) {
58 // robbat2: Use the verbose name of the server instead of the hostname
59 // if a value is set
60 $server_info = '';
61 if (!empty($cfg['Server']['verbose'])) {
62 $server_info .= $cfg['Server']['verbose'];
63 $server_info .= ' (';
64 }
65 $server_info .= PMA_DBI_get_host_info();
66
67 if (!empty($cfg['Server']['verbose'])) {
68 $server_info .= ')';
69 }
70 // loic1: skip this because it's not a so good idea to display sockets
71 // used to everybody
72 // if (!empty($cfg['Server']['socket']) && PMA_PHP_INT_VERSION >= 30010) {
73 // $server_info .= ':' . $cfg['Server']['socket'];
74 // }
75 $mysql_cur_user_and_host = PMA_DBI_fetch_value('SELECT USER();');
76
77
78 // should we add the port info here?
79 $short_server_info = (!empty($GLOBALS['cfg']['Server']['verbose'])
80 ? $GLOBALS['cfg']['Server']['verbose']
81 : $GLOBALS['cfg']['Server']['host']);
82 echo '<h1 xml:lang="en" dir="ltr">' . $short_server_info .'</h1>' . "\n";
83 unset($short_server_info);
84 } else {
85 // Case when no server selected
86 //echo '<h1 xml:lang="en" dir="ltr">MySQL</h1>' . "\n";
87 }
88
89 if ($server > 0) {
90 echo '<ul>' . "\n";
91
92 PMA_printListItem($strServerVersion . ': ' . PMA_MYSQL_STR_VERSION, 'li_server_info');
93 PMA_printListItem($strProtocolVersion . ': ' . PMA_DBI_get_proto_info(),
94 'li_mysql_proto');
95 PMA_printListItem($strServer . ': ' . $server_info, 'li_server_info');
96 PMA_printListItem($strUser . ': ' . htmlspecialchars($mysql_cur_user_and_host),
97 'li_user_info');
98
99 if ($cfg['AllowAnywhereRecoding'] && $allow_recoding && PMA_MYSQL_INT_VERSION < 40100) {
100 echo '<li id="li_select_mysql_charset">';
101 ?>
102 <form method="post" action="index.php" target="_parent">
103 <input type="hidden" name="server" value="<?php echo $server; ?>" />
104 <input type="hidden" name="lang" value="<?php echo $lang; ?>" />
105 <?php echo $strMySQLCharset;?>:
106 <select name="convcharset" xml:lang="en" dir="ltr"
107 onchange="this.form.submit();">
108 <?php
109 foreach ($cfg['AvailableCharsets'] as $tmpcharset) {
110 if ($convcharset == $tmpcharset) {
111 $selected = ' selected="selected"';
112 } else {
113 $selected = '';
114 }
115 echo ' '
116 . '<option value="' . $tmpcharset . '"' . $selected . '>' . $tmpcharset . '</option>' . "\n";
117 }
118 ?>
119 </select>
120 <noscript><input type="submit" value="<?php echo $strGo;?>" /></noscript>
121 </form>
122 </li>
123 <?php
124 } elseif (PMA_MYSQL_INT_VERSION >= 40100) {
125 echo ' <li id="li_select_mysql_charset">';
126 echo ' ' . $strMySQLCharset . ': '
127 . ' <strong xml:lang="en" dir="ltr">'
128 . ' ' . $mysql_charsets_descriptions[$mysql_charset_map[strtolower($charset)]] . "\n"
129 . ' (' . $mysql_charset_map[strtolower($charset)] . ')' . "\n"
130 . ' </strong>' . "\n"
131 . ' </li>' . "\n"
132 . ' <li id="li_select_mysql_collation">';
133 echo ' <form method="post" action="index.php" target="_parent">' . "\n"
134 . PMA_generate_common_hidden_inputs(null, null, 4, 'collation_connection')
135 . ' <label for="select_collation_connection">' . "\n"
136 . ' ' . $strMySQLConnectionCollation . ': ' . "\n"
137 . ' </label>' . "\n"
138 . PMA_generateCharsetDropdownBox(PMA_CSDROPDOWN_COLLATION, 'collation_connection', 'select_collation_connection', $collation_connection, true, 4, true)
139 . ' <noscript><input type="submit" value="' . $strGo . '" /></noscript>' . "\n"
140 // put the doc link in the form so that it appears on the same line
141 . PMA_showMySQLDocu('MySQL_Database_Administration', 'Charset-connection') . "\n"
142 . ' </form>' . "\n"
143 . ' </li>' . "\n";
144 }
145
146 if ($cfg['ShowCreateDb']) {
147 echo '<li id="li_create_database">';
148 require './libraries/display_create_database.lib.php';
149 echo '</li>' . "\n";
150 }
151
152 PMA_printListItem($strMySQLShowStatus, 'li_mysql_status',
153 './server_status.php?' . $common_url_query);
154 PMA_printListItem($strMySQLShowVars, 'li_mysql_variables',
155 './server_variables.php?' . $common_url_query, 'show-variables');
156 PMA_printListItem($strProcesses, 'li_mysql_processes',
157 './server_processlist.php?' . $common_url_query, 'show-processlist');
158
159 if (PMA_MYSQL_INT_VERSION >= 40100) {
160 PMA_printListItem($strCharsetsAndCollations, 'li_mysql_collations',
161 './server_collations.php?' . $common_url_query);
162 }
163
164 PMA_printListItem($strStorageEngines, 'li_mysql_engines',
165 './server_engines.php?' . $common_url_query);
166
167 if ($is_reload_priv) {
168 PMA_printListItem($strReloadPrivileges, 'li_flush_privileges',
169 './server_privileges.php?flush_privileges=1&amp;' . $common_url_query, 'flush');
170 }
171
172 if ($is_superuser) {
173 PMA_printListItem($strPrivileges, 'li_mysql_privilegs',
174 './server_privileges.php?' . $common_url_query);
175 }
176
177 $binlogs = PMA_DBI_try_query('SHOW MASTER LOGS', null, PMA_DBI_QUERY_STORE);
178 if ($binlogs) {
179 if (PMA_DBI_num_rows($binlogs) > 0) {
180 PMA_printListItem($strBinaryLog, 'li_mysql_binlogs',
181 './server_binlog.php?' . $common_url_query);
182 }
183 PMA_DBI_free_result($binlogs);
184 }
185 unset($binlogs);
186
187 PMA_printListItem($strDatabases, 'li_mysql_databases',
188 './server_databases.php?' . $common_url_query);
189 PMA_printListItem($strExport, 'li_export',
190 './server_export.php?' . $common_url_query);
191 PMA_printListItem($strImport, 'li_import',
192 './server_import.php?' . $common_url_query);
193
194 // Change password (TODO ? needs another message)
195 if ($cfg['ShowChgPassword']) {
196 PMA_printListItem($strChangePassword, 'li_change_password',
197 './user_password.php?' . $common_url_query);
198 } // end if
199
200 // Logout for advanced authentication
201 if ($cfg['Server']['auth_type'] != 'config') {
202 $http_logout = ($cfg['Server']['auth_type'] == 'http')
203 ? '<a href="./Documentation.html#login_bug" target="documentation">'
204 . ($cfg['ReplaceHelpImg'] ? '<img class="icon" src="' . $pmaThemeImage . 'b_info.png" width="11" height="11" alt="Info" />' : '(*)') . '</a>'
205 : '';
206 PMA_printListItem('<strong>' . $strLogout . '</strong> ' . $http_logout,
207 'li_log_out',
208 './index.php?' . $common_url_query . '&amp;old_usr=' . urlencode($PHP_AUTH_USER), null, '_parent');
209 } // end if
210
211 echo '</ul>';
212 } // end of if ($server > 0)
213 ?>
214 </div>
215 <div id="pmamaininformation">
216 <?php
217
218 echo '<h1 xml:lang="en" dir="ltr">phpMyAdmin - ' . PMA_VERSION . '</h1>'
219 . "\n";
220
221 echo '<ul>' . "\n";
222
223 /**
224 * Displays the MySQL servers choice form
225 */
226 if (!$cfg['LeftDisplayServers'] && (count($cfg['Servers']) > 1 || $server == 0 && count($cfg['Servers']) == 1)) {
227 echo '<li id="li_select_server">';
228 require_once './libraries/select_server.lib.php';
229 PMA_select_server(true, true);
230 echo '</li>';
231 }
232
233 if ($server > 0) {
234 PMA_printListItem($strMysqlClientVersion . ': ' . PMA_DBI_get_client_info(),
235 'li_mysql_client_version');
236 PMA_printListItem($strUsedPhpExtensions . ': ' . $GLOBALS['cfg']['Server']['extension'],
237 'li_used_php_extension');
238 }
239
240 // Displays language selection combo
241 if (empty($cfg['Lang'])) {
242 echo '<li id="li_select_lang">';
243 require_once './libraries/display_select_lang.lib.php';
244 PMA_select_language();
245 echo '</li>';
246 }
247
248
249 if (isset($cfg['AllowAnywhereRecoding']) && $cfg['AllowAnywhereRecoding']
250 && $server != 0 && $allow_recoding && PMA_MYSQL_INT_VERSION < 40100) {
251 echo '<li id="li_select_charset">';
252 ?>
253 <form method="post" action="index.php" target="_parent">
254 <input type="hidden" name="server" value="<?php echo $server; ?>" />
255 <input type="hidden" name="lang" value="<?php echo $lang; ?>" />
256 <?php echo $strMySQLCharset;?>:
257 <select name="convcharset" xml:lang="en" dir="ltr"
258 onchange="this.form.submit();">
259 <?php
260 foreach ($cfg['AvailableCharsets'] AS $id => $tmpcharset) {
261 if ($convcharset == $tmpcharset) {
262 $selected = ' selected="selected"';
263 } else {
264 $selected = '';
265 }
266 echo ' '
267 . '<option value="' . $tmpcharset . '"' . $selected . '>' . $tmpcharset . '</option>' . "\n";
268 }
269 ?>
270 </select>
271 <noscript><input type="submit" value="<?php echo $strGo;?>" /></noscript>
272 </form>
273 </li>
274 <?php
275 }
276
277 // added by Michael Keck <mail_at_michaelkeck_dot_de>
278 // ThemeManager if available
279
280 if ($GLOBALS['cfg']['ThemeManager']) {
281 echo '<li id="li_select_theme">';
282 echo $_SESSION['PMA_Theme_Manager']->getHtmlSelectBox();
283 echo '</li>';
284 }
285 PMA_printListItem($strPmaDocumentation, 'li_pma_docs', 'Documentation.html');
286
287 if ($cfg['ShowPhpInfo']) {
288 PMA_printListItem($strShowPHPInfo, 'li_phpinfo', './phpinfo.php?' . $common_url_query);
289 }
290
291 // does not work if no target specified, don't know why
292 PMA_printListItem($strHomepageOfficial, 'li_pma_homepage', 'http://www.phpMyAdmin.net/', null, '_blank');
293 ?>
294 <li><bdo xml:lang="en" dir="ltr">
295 [<a href="changelog.php" target="_blank">ChangeLog</a>]
296 [<a href="http://phpmyadmin.cvs.sourceforge.net/phpmyadmin/"
297 target="_blank">CVS</a>]
298 [<a href="http://sourceforge.net/mail/?group_id=23067"
299 target="_blank">Lists</a>]
300 </bdo>
301 </li>
302 </ul>
303 </div>
304 <?php
305 /**
306 * BUG: MSIE needs two <br /> here, otherwise it will not extend the outer div to the
307 * full height of the inner divs
308 */
309 ?>
310 <br class="clearfloat" />
311 <br class="clearfloat" />
312 </div>
313
314 <?php
315 if (! empty($GLOBALS['PMA_errors']) && is_array($GLOBALS['PMA_errors'])) {
316 foreach ($GLOBALS['PMA_errors'] as $error) {
317 echo '<div class="error">' . $error . '</div>' . "\n";
318 }
319 }
320
321 /**
322 * Removed the "empty $cfg['PmaAbsoluteUri']" warning on 2005-08-23
323 * See https://sourceforge.net/tracker/index.php?func=detail&aid=1257134&group_id=23067&atid=377411
324 */
325
326 /**
327 * Warning if using the default MySQL privileged account
328 * modified: 2004-05-05 mkkeck
329 */
330 if ($server != 0
331 && $cfg['Server']['user'] == 'root'
332 && $cfg['Server']['password'] == '') {
333 echo '<div class="warning">' . $strInsecureMySQL . '</div>' . "\n";
334 }
335
336 /**
337 * Warning for PHP 4.2.3
338 * modified: 2004-05-05 mkkeck
339 */
340
341 if (PMA_PHP_INT_VERSION == 40203 && @extension_loaded('mbstring')) {
342 echo '<div class="warning">' . $strPHP40203 . '</div>' . "\n";
343 }
344
345 /**
346 * Nijel: As we try to hadle charsets by ourself, mbstring overloads just
347 * break it, see bug 1063821.
348 */
349
350 if (@extension_loaded('mbstring') && @ini_get('mbstring.func_overload') > 1) {
351 echo '<div class="warning">' . $strMbOverloadWarning . '</div>' . "\n";
352 }
353
354 /**
355 * Nijel: mbstring is used for handling multibyte inside parser, so it is good
356 * to tell user something might be broken without it, see bug #1063149.
357 */
358 if ($GLOBALS['using_mb_charset'] && !@extension_loaded('mbstring')) {
359 echo '<div class="warning">' . $strMbExtensionMissing . '</div>' . "\n";
360 }
361
362 /**
363 * Warning for old PHP version
364 * modified: 2004-05-05 mkkeck
365 */
366
367 if (PMA_PHP_INT_VERSION < 40100) {
368 echo '<div class="warning">' . sprintf($strUpgrade, 'PHP', '4.1.0') . '</div>' . "\n";
369 }
370
371 /**
372 * Warning for old MySQL version
373 * modified: 2004-05-05 mkkeck
374 */
375 // not yet defined before the server choice
376 if (defined('PMA_MYSQL_INT_VERSION') && PMA_MYSQL_INT_VERSION < 32332) {
377 echo '<div class="warning">' . sprintf($strUpgrade, 'MySQL', '3.23.32') . '</div>' . "\n";
378 }
379
380 /**
381 * prints list item for main page
382 *
383 * @param string $name displayed text
384 * @param string $id id, used for css styles
385 * @param string $url make item as link with $url as target
386 * @param string $mysql_help_page display a link to MySQL's manual
387 * @param string $target special target for $url
388 */
389 function PMA_printListItem($name, $id = null, $url = null, $mysql_help_page = null, $target = null)
390 {
391 echo '<li id="' . $id . '">';
392 if (null !== $url) {
393 echo '<a href="' . $url . '"';
394 if (null !== $target) {
395 echo ' target="' . $target . '"';
396 }
397 echo '>';
398 }
399
400 echo $name;
401
402 if (null !== $url) {
403 echo '</a>' . "\n";
404 }
405 if (null !== $mysql_help_page) {
406 echo PMA_showMySQLDocu('', $mysql_help_page);
407 }
408 echo '</li>';
409 }
410
411 /**
412 * Displays the footer
413 */
414 require_once './libraries/footer.inc.php';
415 ?>
Drizzle / GSOC 2011