search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix escaping of long query with js (thanks to Erwin for report).
[phpmyadmin/last10db.git] / tbl_replace.php
blob4d131dbfa92debd0d797ecdd784a894e57f09db3
1 <?php
2 /* $Id$ */
3 // vim: expandtab sw=4 ts=4 sts=4:
4
5 /**
6 * Gets some core libraries
7 */
8 require_once('./libraries/common.lib.php');
9
10 // Check parameters
11 PMA_checkParameters(array('db', 'table', 'goto'));
12
13 PMA_DBI_select_db($db);
14
15 /**
16 * Initializes some variables
17 */
18 // Defines the url to return in case of success of the query
19 if (isset($sql_query)) {
20 $sql_query = urldecode($sql_query);
21 }
22 if (!isset($dontlimitchars)) {
23 $dontlimitchars = 0;
24 }
25 if (!isset($pos)) {
26 $pos = 0;
27 }
28 $is_gotofile = FALSE;
29 if (isset($after_insert) && $after_insert == 'new_insert') {
30 $goto = 'tbl_change.php?'
31 . PMA_generate_common_url($db, $table, '&')
32 . '&goto=' . urlencode($goto)
33 . '&pos=' . $pos
34 . '&session_max_rows=' . $session_max_rows
35 . '&disp_direction=' . $disp_direction
36 . '&repeat_cells=' . $repeat_cells
37 . '&dontlimitchars=' . $dontlimitchars
38 . '&after_insert=' . $after_insert
39 . (empty($sql_query) ? '' : '&sql_query=' . urlencode($sql_query));
40 } elseif (isset($after_insert) && $after_insert == 'same_insert') {
41 $goto = 'tbl_change.php?'
42 . PMA_generate_common_url($db, $table, '&')
43 . '&goto=' . urlencode($goto)
44 . '&pos=' . $pos
45 . '&session_max_rows=' . $session_max_rows
46 . '&disp_direction=' . $disp_direction
47 . '&repeat_cells=' . $repeat_cells
48 . '&dontlimitchars=' . $dontlimitchars
49 . '&after_insert=' . $after_insert
50 . (empty($sql_query) ? '' : '&sql_query=' . urlencode($sql_query));
51 if (isset($primary_key)) {
52 foreach ($primary_key AS $pk) {
53 $goto .= '&primary_key[]=' . $pk;
54 }
55 }
56 } elseif (isset($after_insert) && $after_insert == 'edit_next') {
57 $goto = 'tbl_change.php?'
58 . PMA_generate_common_url($db, $table, '&')
59 . '&goto=' . urlencode($goto)
60 . '&pos=' . $pos
61 . '&session_max_rows=' . $session_max_rows
62 . '&disp_direction=' . $disp_direction
63 . '&repeat_cells=' . $repeat_cells
64 . '&dontlimitchars=' . $dontlimitchars
65 . '&after_insert=' . $after_insert
66 . (empty($sql_query) ? '' : '&sql_query=' . urlencode($sql_query));
67 if (isset($primary_key)) {
68 foreach ($primary_key AS $pk) {
69 $local_query = 'SELECT * FROM ' . PMA_backquote($table) . ' WHERE ' . str_replace('` =', '` >', urldecode($pk)) . ' LIMIT 1;';
70 $res = PMA_DBI_query($local_query);
71 $row = PMA_DBI_fetch_row($res);
72 $meta = PMA_DBI_get_fields_meta($res);
73 $goto .= '&primary_key[]=' . urlencode(PMA_getUvaCondition($res, count($row), $meta, $row));
74 }
75 }
76 } elseif ($goto == 'sql.php') {
77 $goto = 'sql.php?'
78 . PMA_generate_common_url($db, $table, '&')
79 . '&pos=' . $pos
80 . '&session_max_rows=' . $session_max_rows
81 . '&disp_direction=' . $disp_direction
82 . '&repeat_cells=' . $repeat_cells
83 . '&dontlimitchars=' . $dontlimitchars
84 . '&sql_query=' . urlencode($sql_query);
85 } elseif (!empty($goto)) {
86 // Security checkings
87 $is_gotofile = preg_replace('@^([^?]+).*$@', '\\1', $goto);
88 if (!@file_exists('./' . $is_gotofile)) {
89 $goto = (! isset($table) || ! strlen($table)) ? 'db_details.php' : 'tbl_properties.php';
90 $is_gotofile = TRUE;
91 } else {
92 $is_gotofile = ($is_gotofile == $goto);
93 }
94 }
95
96 // Defines the url to return in case of failure of the query
97 if (isset($err_url)) {
98 $err_url = urldecode($err_url);
99 } else {
100 $err_url = str_replace('&', '&amp;', $goto)
101 . (empty($primary_key) ? '' : '&amp;primary_key=' . (is_array($primary_key) ? $primary_key[0] : $primary_key));
102 }
103
104 // Misc
105 $seen_binary = FALSE;
106
107 /**
108 * Prepares the update/insert of a row
109 */
110 if (isset($primary_key)) {
111 // we were editing something => use primary key
112 $loop_array = (is_array($primary_key) ? $primary_key : array(0 => $primary_key));
113 $using_key = TRUE;
114 $is_insert = ($submit_type == $strInsertAsNewRow);
115 } else {
116 // new row => use indexes
117 $loop_array = array();
118 for ($i = 0; $i < $cfg['InsertRows']; $i++) $loop_array[$i] = $i;
119 $using_key = FALSE;
120 $is_insert = TRUE;
121 }
122
123 $query = array();
124 $message = '';
125
126 foreach ($loop_array AS $primary_key_index => $enc_primary_key) {
127 // skip fields to be ignored
128 if (!$using_key && isset($GLOBALS['insert_ignore_' . $enc_primary_key])) {
129 continue;
130 }
131
132 // Restore the "primary key" to a convenient format
133 $primary_key = urldecode($enc_primary_key);
134
135 // Defines the SET part of the sql query
136 $valuelist = '';
137 $fieldlist = '';
138
139 // Map multi-edit keys to single-level arrays, dependent on how we got the fields
140 $me_fields = isset($fields['multi_edit']) && isset($fields['multi_edit'][$enc_primary_key]) ? $fields['multi_edit'][$enc_primary_key] : null;
141 $me_fields_prev = isset($fields_prev['multi_edit']) && isset($fields_prev['multi_edit'][$enc_primary_key]) ? $fields_prev['multi_edit'][$enc_primary_key] : null;
142 $me_funcs = isset($funcs['multi_edit']) && isset($funcs['multi_edit'][$enc_primary_key]) ? $funcs['multi_edit'][$enc_primary_key] : null;
143 $me_fields_type = isset($fields_type['multi_edit']) && isset($fields_type['multi_edit'][$enc_primary_key]) ? $fields_type['multi_edit'][$enc_primary_key] : null;
144 $me_fields_null = isset($fields_null['multi_edit']) && isset($fields_null['multi_edit'][$enc_primary_key]) ? $fields_null['multi_edit'][$enc_primary_key] : null;
145 $me_fields_null_prev = isset($fields_null_prev['multi_edit']) && isset($fields_null_prev['multi_edit'][$enc_primary_key]) ? $fields_null_prev['multi_edit'][$enc_primary_key] : null;
146 $me_auto_increment = isset($auto_increment['multi_edit']) && isset($auto_increment['multi_edit'][$enc_primary_key]) ? $auto_increment['multi_edit'][$enc_primary_key] : null;
147
148 if ($using_key && isset($me_fields_type) && is_array($me_fields_type) && isset($primary_key)) {
149 $prot_result = PMA_DBI_query('SELECT * FROM ' . PMA_backquote($table) . ' WHERE ' . $primary_key . ';');
150 $prot_row = PMA_DBI_fetch_assoc($prot_result);
151 PMA_DBI_free_result($prot_result);
152 unset($prot_result);
153 }
154
155 foreach ($me_fields AS $encoded_key => $val) {
156 $key = urldecode($encoded_key);
157 $fieldlist .= PMA_backquote($key) . ', ';
158
159 require('./libraries/tbl_replace_fields.inc.php');
160
161 if (empty($me_funcs[$encoded_key])) {
162 $cur_value = $val . ', ';
163 } elseif (preg_match('@^(UNIX_TIMESTAMP)$@', $me_funcs[$encoded_key]) && $val != '\'\'') {
164 $cur_value = $me_funcs[$encoded_key] . '(' . $val . '), ';
165 } elseif (preg_match('@^(NOW|CURDATE|CURTIME|UTC_DATE|UTC_TIME|UTC_TIMESTAMP|UNIX_TIMESTAMP|RAND|USER|LAST_INSERT_ID)$@', $me_funcs[$encoded_key])) {
166 $cur_value = $me_funcs[$encoded_key] . '(), ';
167 } else {
168 $cur_value = $me_funcs[$encoded_key] . '(' . $val . '), ';
169 }
170
171 // i n s e r t
172 if ($is_insert) {
173 // no need to add column into the valuelist
174 $valuelist .= $cur_value;
175
176 // u p d a t e
177 } elseif (isset($me_fields_null_prev) && isset($me_fields_null_prev[$encoded_key]) && !empty($me_fields_null_prev[$encoded_key]) && !isset($me_fields_null[$encoded_key])) {
178 // field had the null checkbox before the update
179 // field no longer has the null checkbox
180 $valuelist .= PMA_backquote($key) . ' = ' . $cur_value;
181 } elseif (empty($me_funcs[$encoded_key])
182 && isset($me_fields_prev) && isset($me_fields_prev[$encoded_key])
183 && ("'" . PMA_sqlAddslashes(urldecode($me_fields_prev[$encoded_key])) . "'" == $val)) {
184 // No change for this column and no MySQL function is used -> next column
185 continue;
186 } elseif (!empty($val)) {
187 // avoid setting a field to NULL when it's already NULL
188 // (field had the null checkbox before the update
189 // field still has the null checkbox)
190 if (!(isset($me_fields_null_prev) && isset($me_fields_null_prev[$encoded_key]) && !empty($me_fields_null_prev[$encoded_key]) && isset($me_fields_null[$encoded_key]))) {
191 $valuelist .= PMA_backquote($key) . ' = ' . $cur_value;
192 }
193 }
194 } // end while
195
196 // get rid of last ,
197 $valuelist = preg_replace('@, $@', '', $valuelist);
198
199 // Builds the sql query
200 if ($is_insert) {
201 if (empty($query)) {
202 // first inserted row -> prepare template
203 $fieldlist = preg_replace('@, $@', '', $fieldlist);
204 $query = array('INSERT INTO ' . PMA_backquote($table) . ' (' . $fieldlist . ') VALUES ');
205 }
206 // append current values
207 $query[0] .= '(' . $valuelist . '), ';
208 $message = $strInsertedRows . '&nbsp;';
209 } elseif (!empty($valuelist)) {
210 // build update query
211 $query[] = 'UPDATE ' . PMA_backquote($table) . ' SET ' . $valuelist . ' WHERE' . $primary_key . ' LIMIT 1';
212
213 $message = $strAffectedRows . '&nbsp;';
214 }
215 } // end for
216
217 // trim last , from insert query
218 if ($is_insert) {
219 $query[0] = preg_replace('@, $@', '', $query[0]);
220 }
221
222 if (empty($valuelist) && empty($query)) {
223 // No change -> move back to the calling script
224 $message = $strNoModification;
225 if ($is_gotofile) {
226 $js_to_run = 'functions.js';
227 require_once('./libraries/header.inc.php');
228 require('./' . PMA_securePath($goto));
229 } else {
230 PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . $goto . '&disp_message=' . urlencode($message) . '&disp_query=');
231
232 }
233 exit();
234 }
235
236 /**
237 * Executes the sql query and get the result, then move back to the calling
238 * page
239 */
240 $sql_query = implode(';', $query) . ';';
241 $total_affected_rows = 0;
242 $last_message = '';
243 $warning_message = '';
244
245 foreach ($query AS $query_index => $single_query) {
246 if ($cfg['IgnoreMultiSubmitErrors']) {
247 $result = PMA_DBI_try_query($single_query);
248 } else {
249 $result = PMA_DBI_query($single_query);
250 }
251 if (isset($GLOBALS['warning'])) {
252 $warning_message .= $GLOBALS['warning'] . '[br]';
253 }
254 if (!$result) {
255 $message .= PMA_DBI_getError();
256 } else {
257 if (@PMA_DBI_affected_rows()) {
258 $total_affected_rows += @PMA_DBI_affected_rows();
259 }
260
261 $insert_id = PMA_DBI_insert_id();
262 if ($insert_id != 0) {
263 $last_message .= '[br]'.$strInsertedRowId . '&nbsp;' . $insert_id;
264 }
265 } // end if
266 PMA_DBI_free_result($result);
267 unset($result);
268 }
269
270 if ($total_affected_rows != 0) {
271 $message .= $total_affected_rows;
272 } else {
273 $message .= $strModifications;
274 }
275
276 $message .= $last_message;
277
278 if (!empty($warning_message)) {
279 /**
280 * @todo use a <div class="warning"> in PMA_showMessage() for this part of the message
281 */
282 $message .= '[br]' . $warning_message;
283 }
284
285 if ($is_gotofile) {
286 if ($goto == 'db_details.php' && isset($table)) {
287 unset($table);
288 }
289 $js_to_run = 'functions.js';
290 $active_page = $goto;
291 require_once('./libraries/header.inc.php');
292 require('./' . PMA_securePath($goto));
293 } else {
294
295 // if we have seen binary,
296 // we do not append the query to the Location so it won't be displayed
297 // on the resulting page
298 // Nijel: we also need to limit size of url...
299 $add_query = (!$seen_binary && strlen($sql_query) < 1024 ? '&disp_query=' . urlencode($sql_query) : '');
300 PMA_sendHeaderLocation($cfg['PmaAbsoluteUri'] . $goto . '&disp_message=' . urlencode($message) . $add_query);
301 }
302 exit();
303 ?>
Proposed solution for https://sourceforge.net/tracker/?func=detail&aid=3141575&group_id=23067&atid=377411