From 2183740b05bf9e5cb364a48b7766504d26895cfa Mon Sep 17 00:00:00 2001 From: "Alexander M. Turek" Date: Sun, 2 Mar 2003 17:26:41 +0000 Subject: [PATCH] If magic_quotes_gpc is enabled, grab_globals calls stripslashes when extracting the arrays $_GET and $_POST. --- ChangeLog | 23 +++++++++++++++--- db_details.php3 | 3 --- db_details_qbe.php3 | 19 +++------------ db_search.php3 | 28 ++++----------------- ldi_check.php3 | 22 +++-------------- libraries/build_dump.lib.php3 | 9 +------ libraries/common.lib.php3 | 22 ++++++++++++++++- libraries/display_tbl.lib.php3 | 26 ++++++++------------ libraries/grab_globals.lib.php3 | 41 +++++++++++++++++++------------ mult_submits.inc.php3 | 10 +++----- read_dump.php3 | 10 +------- server_privileges.php3 | 14 +++++------ sql.php3 | 11 +-------- tbl_addfield.php3 | 25 +++---------------- tbl_change.php3 | 16 +++--------- tbl_create.php3 | 26 +------------------- tbl_dump.php3 | 7 ++---- tbl_indexes.php3 | 15 +----------- tbl_move_copy.php3 | 9 ------- tbl_properties.inc.php3 | 43 +++++++++++++++------------------ tbl_properties_operations.php3 | 2 +- tbl_properties_options.php3 | 5 +--- tbl_query_box.php3 | 11 +++------ tbl_rename.php3 | 3 --- tbl_replace.php3 | 3 --- tbl_replace_fields.php3 | 16 +++++------- tbl_select.php3 | 7 +----- transformation_wrapper.php3 | 12 ++------- user_password.php3 | 6 +---- 29 files changed, 149 insertions(+), 295 deletions(-) diff --git a/ChangeLog b/ChangeLog index 2f5507fbf..6c55ca821 100755 --- a/ChangeLog +++ b/ChangeLog @@ -5,10 +5,27 @@ phpMyAdmin - Changelog $Id$ $Source$ +2003-03-02 Alexander M. Turek + * db_details.php3, db_details_qbe.php3, db_search.php3, ldi_check.php3, + mult_submits.inc.php3, read_dump.php3, sql.php3, tbl_addfield.php3, + tbl_change.php3, tbl_create.php3, tbl_dump.php3, tbl_indexes.php3, + tbl_move_copy.php3, tbl_properties.inc.php3, + tbl_properties_operations.php3, tbl_properties_options.php3, + tbl_query_box.php3, tbl_rename.php3, tbl_replace.php3, + tbl_replace_fields.php3, tbl_select.php3, transformation_wrapper.php3, + user_password.php3, libraries/build_dump.php3, libraries/common.lib.php3, + libraries/display_tbl.lib.php3, libraries/grab_globals.php3: + If magic_quotes_gpc is enabled, grab_globals calls stripslashes when + extracting the arrays $_GET and $_POST. This should replace a lots of + workarounds and avoid present and future problems with magic_quotes_gpc. + * server_privileges.php3, libraries/common.lib.php3: + - Escape wildcard characters in the database and table dropdown boxes; + - CSS fixes. + 2003-03-01 Marc Delisle * lang/english: typo * tbl_dump.php3: undefined variable $use_comments - * tbl_properties_export.php3: bug 692143: now we remove the + * tbl_properties_export.php3: bug 692143: now we remove the LIMIT clause from the original query to use the limits entered on the export form * pdf_schema.php3: better header/footer for long pages, @@ -19,9 +36,9 @@ $Source$ index. 2003-03-01 Robin Johnson - * libraries/xpath/XPath.class.php, libraries/xpath/: + * libraries/xpath/XPath.class.php, libraries/xpath/: - Removed (was part of the early DB config prototype) - * lang/translatecount.sh: + * lang/translatecount.sh: - Counts just how out of date the translations are! 2003-02-28 Michal Cihar diff --git a/db_details.php3 b/db_details.php3 index 51788bbcd..f21de1610 100755 --- a/db_details.php3 +++ b/db_details.php3 @@ -19,9 +19,6 @@ if (isset($show_query) && $show_query == '1') { $query_to_display = $sql_query_cpy; } // Other cases - else if (get_magic_quotes_gpc()) { - $query_to_display = stripslashes($sql_query); - } else { $query_to_display = $sql_query; } diff --git a/db_details_qbe.php3 b/db_details_qbe.php3 index b3de9abe6..7541a12ec 100755 --- a/db_details_qbe.php3 +++ b/db_details_qbe.php3 @@ -25,9 +25,6 @@ if (isset($submit_sql) && eregi('^SELECT', $encoded_sql_query)) { $goto = 'db_details.php3'; $zero_rows = htmlspecialchars($strSuccess); $sql_query = urldecode($encoded_sql_query); - if (get_magic_quotes_gpc()) { - $sql_query = addslashes($sql_query); - } include('./sql.php3'); exit(); } else { @@ -365,11 +362,7 @@ for ($x = 0; $x < $col; $x++) { continue; } if (isset($Criteria[$x])) { - if (get_magic_quotes_gpc()) { - $stripped_Criteria = stripslashes($Criteria[$x]); - } else { - $stripped_Criteria = $Criteria[$x]; - } + $stripped_Criteria = $Criteria[$x]; } if ((empty($prev_Criteria) || !isset($prev_Criteria[$x])) || urldecode($prev_Criteria[$x]) != htmlspecialchars($stripped_Criteria)) { @@ -534,11 +527,7 @@ for ($y = 0; $y <= $row; $y++) { ${$or} = ''; } if (!empty(${$or}) && isset(${$or}[$x])) { - if (get_magic_quotes_gpc()) { - $stripped_or = stripslashes(${$or}[$x]); - } else { - $stripped_or = ${$or}[$x]; - } + $stripped_or = ${$or}[$x]; } else { $stripped_or = ''; } @@ -893,7 +882,7 @@ if (isset($Field) && count($Field) > 0) { } else { //$master = $col_cand[0]; reset($col_cand); - $master = current($col_cand); + $master = current($col_cand); //echo 'master ist der einzige Kandidat: ' . $master . "\n"; } } // end if (exactly one where clause) @@ -1048,7 +1037,7 @@ for ($y = 0; $y <= $row; $y++) { if (!empty($curField[$x]) && !empty(${'curOr' . $y}[$x])) { $qry_orwhere .= '(' . $curField[$x] . ' ' - . (get_magic_quotes_gpc() ? stripslashes(${'curOr' . $y}[$x]) : ${'curOr' . $y}[$x]) + . ${'curOr' . $y}[$x] . ')'; $last_orwhere = $x; $criteria_cnt++; diff --git a/db_search.php3 b/db_search.php3 index 50f19c235..3e96cbcc4 100644 --- a/db_search.php3 +++ b/db_search.php3 @@ -93,7 +93,7 @@ if (isset($submit_search)) { for ($j = 0; $j < $tblfields_cnt; $j++) { $thefieldlikevalue[] = $tblfields[$j] . ' ' . $like_or_regex - . ' \'' + . ' \'' . $automatic_wildcard . $search_words[$i] . $automatic_wildcard . '\''; @@ -119,24 +119,6 @@ if (isset($submit_search)) { } // end of the "PMA_getSearchSqls()" function - /** - * Strip slashes if necessary - */ - if (get_magic_quotes_gpc()) { - $search_str = stripslashes($search_str); - if (isset($table)) { - $table = stripslashes($table); - } - else if (isset($table_select)) { - $table_select_cnt = count($table_select); - reset($table_select); - for ($i = 0; $i < $table_select_cnt; $i++) { - $table_select[$i] = stripslashes($table_select[$i]); - } // end for - } // end if... else if... - } // end if - - /** * Displays the results */ @@ -220,11 +202,11 @@ if (isset($submit_search)) { . ' \n"; if ($res_cnt > 0) { - echo '\n"; - echo '\n"; @@ -259,11 +241,11 @@ if (isset($submit_search)) { . '
' . sprintf($strNumSearchResultsInTable, $res_cnt, htmlspecialchars($onetable)) . "' . PMA_linkOrButton('sql.php3?' . $url_sql_query + echo '' . PMA_linkOrButton('sql.php3?' . $url_sql_query . '&sql_query=' .urlencode($newsearchsqls['select_fields']), $strBrowse, '') . "' . PMA_linkOrButton('sql.php3?' . $url_sql_query + echo '' . PMA_linkOrButton('sql.php3?' . $url_sql_query . '&sql_query=' .urlencode($newsearchsqls['delete']), $strDelete, $newsearchsqls['delete']) . "
\n"; if ($res_cnt > 0) { - echo '\n"; - echo '\n"; diff --git a/ldi_check.php3 b/ldi_check.php3 index 85624a3b1..87b3b5186 100755 --- a/ldi_check.php3 +++ b/ldi_check.php3 @@ -46,17 +46,9 @@ if (isset($btnLDI) && ($textfile != 'none')) { // Formats the data posted to this script $textfile = PMA_sqlAddslashes($textfile); - if (get_magic_quotes_gpc()) { - $field_terminater = stripslashes($field_terminater); - $enclosed = PMA_sqlAddslashes(stripslashes($enclosed)); - $escaped = PMA_sqlAddslashes(stripslashes($escaped)); - $line_terminator = stripslashes($line_terminator); - $column_name = PMA_sqlAddslashes(stripslashes($column_name)); - } else { - $enclosed = PMA_sqlAddslashes($enclosed); - $escaped = PMA_sqlAddslashes($escaped); - $column_name = PMA_sqlAddslashes($column_name); - } + $enclosed = PMA_sqlAddslashes($enclosed); + $escaped = PMA_sqlAddslashes($escaped); + $column_name = PMA_sqlAddslashes($column_name); // (try to) make sure the file is readable: chmod($textfile, 0777); @@ -125,14 +117,6 @@ if (isset($btnLDI) && ($textfile != 'none')) { } } - // Executes the query - // sql.php3 will stripslash the query if 'magic_quotes_gpc' is set to on - if (get_magic_quotes_gpc()) { - $sql_query = addslashes($query); - } else { - $sql_query = $query; - } - // We could rename the ldi* scripts to tbl_properties_ldi* to improve // consistency with the other sub-pages. // diff --git a/libraries/build_dump.lib.php3 b/libraries/build_dump.lib.php3 index 1c5c1b604..7b31b3b09 100644 --- a/libraries/build_dump.lib.php3 +++ b/libraries/build_dump.lib.php3 @@ -508,7 +508,7 @@ if (!defined('PMA_BUILD_DUMP_LIB_INCLUDED')){ * @param string the handler (function) to call. It must accept one * parameter ($sql_insert) * @param string the url to go back in case of error - * @param string sql query (optional) + * @param string sql query (optional) * * @global string whether to obtain an excel compatible csv format or a * simple csv one @@ -527,17 +527,12 @@ if (!defined('PMA_BUILD_DUMP_LIB_INCLUDED')){ } else if (!isset($sep)) { $sep = ''; } else { - if (get_magic_quotes_gpc()) { - $sep = stripslashes($sep); - } $sep = str_replace('\\t', "\011", $sep); } if ($what == 'excel') { $enc_by = '"'; } else if (!isset($enc_by)) { $enc_by = ''; - } else if (get_magic_quotes_gpc()) { - $enc_by = stripslashes($enc_by); } if ($what == 'excel' || (empty($esc_by) && $enc_by != '')) { @@ -545,8 +540,6 @@ if (!defined('PMA_BUILD_DUMP_LIB_INCLUDED')){ $esc_by = $enc_by; } else if (!isset($esc_by)) { $esc_by = ''; - } else if (get_magic_quotes_gpc()) { - $esc_by = stripslashes($esc_by); } // Defines the offsets to use diff --git a/libraries/common.lib.php3 b/libraries/common.lib.php3 index 51f668547..62576ff07 100644 --- a/libraries/common.lib.php3 +++ b/libraries/common.lib.php3 @@ -265,6 +265,26 @@ h1 {font-family: sans-serif; font-size: large; font-weight: bold} } // end of the 'PMA_sqlAddslashes()' function + /** + * Add slashes before "_" and "%" characters for using them in MySQL + * database, table and field names. + * Note: This function does not escape backslashes! + * + * @param string the string to escape + * + * @return string the escaped string + * + * @access public + */ + function PMA_escape_mysql_wildcards($name) + { + $name = str_replace('_', '\\_', $name); + $name = str_replace('%', '\\%', $name); + + return $name; + } // end of the 'PMA_escape_mysql_wildcards()' function + + /** * format sql strings * @@ -1208,7 +1228,7 @@ if (typeof(document.getElementById) != 'undefined'
' . sprintf($strNumSearchResultsInTable, $res_cnt, htmlspecialchars($table_select[$i])) . "' . PMA_linkOrButton('sql.php3?' . $url_sql_query + echo '' . PMA_linkOrButton('sql.php3?' . $url_sql_query . '&sql_query=' .urlencode($newsearchsqls['select_fields']), $strBrowse, '') . "' . PMA_linkOrButton('sql.php3?' . $url_sql_query + echo '' . PMA_linkOrButton('sql.php3?' . $url_sql_query . '&sql_query=' .urlencode($newsearchsqls['delete']), $strDelete, $newsearchsqls['delete']) . "
name]['mimetype']) && isset($GLOBALS['mime_map'][$meta->name]['transformation'])) { @@ -1019,7 +1019,7 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')) { } } - + } $transform_options['wrapper_link'] = '?' @@ -1110,10 +1110,10 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')) { $blobtext .= ' - '. $blob_size [0] . ' ' . $blob_size[1]; unset($blob_size); } - + $blobtext .= ']'; $blobtext = ($default_function != $transform_function ? $transform_function($blobtext, $transform_options) : $default_function($blobtext)); - + $vertical_display['data'][$row_no][$i] = ' '; } else { //if (!isset($row[$meta->name]) @@ -1127,11 +1127,11 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')) { } // loic1: displays all space characters, 4 space // characters for tabulations and / - + $row[$pointer] = ($default_function != $transform_function ? $transform_function('BLOB', $transform_options) : $default_function($row[$pointer])); $row[$pointer] = str_replace("\011", '    ', str_replace(' ', '  ', $row[$pointer])); $row[$pointer] = ereg_replace("((\015\012)|(\015)|(\012))", '
', $row[$pointer]); - + $vertical_display['data'][$row_no][$i] = ' ' . "\n"; } else { $vertical_display['data'][$row_no][$i] = ' ' . "\n"; @@ -1169,7 +1169,7 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')) { $row[$pointer] = str_replace("\011", '    ', str_replace(' ', '  ', $row[$pointer])); $row[$pointer] = ereg_replace("((\015\012)|(\015)|(\012))", '
', $row[$pointer]); } - + // loic1: do not wrap if date field type $nowrap = (eregi('DATE|TIME', $meta->type) ? ' nowrap="nowrap"' : ''); $vertical_display['data'][$row_no][$i] = ' ' . "\n" . $spaces . ' ' . "\n" . $spaces . ' ' . "\n" . $spaces . ' '; - + } // end else if ( binary or blob) else { // For char or varchar, respect the maximum length (M); for other diff --git a/tbl_create.php3 b/tbl_create.php3 index b67fb7aeb..359a55fb3 100755 --- a/tbl_create.php3 +++ b/tbl_create.php3 @@ -49,19 +49,12 @@ if (isset($submit)) { if (empty($field_name[$i])) { continue; } - if (get_magic_quotes_gpc()) { - $field_name[$i] = stripslashes($field_name[$i]); - } if (PMA_MYSQL_INT_VERSION < 32306) { PMA_checkReservedWords($field_name[$i], $err_url); } $query = PMA_backquote($field_name[$i]) . ' ' . $field_type[$i]; if ($field_length[$i] != '') { - if (get_magic_quotes_gpc()) { - $query .= '(' . stripslashes($field_length[$i]) . ')'; - } else { - $query .= '(' . $field_length[$i] . ')'; - } + $query .= '(' . $field_length[$i] . ')'; } if ($field_attribute[$i] != '') { $query .= ' ' . $field_attribute[$i]; @@ -69,8 +62,6 @@ if (isset($submit)) { if ($field_default[$i] != '') { if (strtoupper($field_default[$i]) == 'NULL') { $query .= ' DEFAULT NULL'; - } else if (get_magic_quotes_gpc()) { - $query .= ' DEFAULT \'' . PMA_sqlAddslashes(stripslashes($field_default[$i])) . '\''; } else { $query .= ' DEFAULT \'' . PMA_sqlAddslashes($field_default[$i]) . '\''; } @@ -96,9 +87,6 @@ if (isset($submit)) { for ($i = 0; $i < $primary_cnt; $i++) { $j = $field_primary[$i]; if (!empty($field_name[$j])) { - if (get_magic_quotes_gpc()) { - $field_name[$j] = stripslashes($field_name[$j]); - } $primary .= PMA_backquote($field_name[$j]) . ', '; } } // end for @@ -116,9 +104,6 @@ if (isset($submit)) { for ($i = 0;$i < $index_cnt; $i++) { $j = $field_index[$i]; if (!empty($field_name[$j])) { - if (get_magic_quotes_gpc()) { - $field_name[$j] = stripslashes($field_name[$j]); - } $index .= PMA_backquote($field_name[$j]) . ', '; } } // end for @@ -136,9 +121,6 @@ if (isset($submit)) { for ($i = 0; $i < $unique_cnt; $i++) { $j = $field_unique[$i]; if (!empty($field_name[$j])) { - if (get_magic_quotes_gpc()) { - $field_name[$j] = stripslashes($field_name[$j]); - } $unique .= PMA_backquote($field_name[$j]) . ', '; } } // end for @@ -156,9 +138,6 @@ if (isset($submit)) { for ($i = 0; $i < $fulltext_cnt; $i++) { $j = $field_fulltext[$i]; if (!empty($field_name[$j])) { - if (get_magic_quotes_gpc()) { - $field_name[$j] = stripslashes($field_name[$j]); - } $fulltext .= PMA_backquote($field_name[$j]) . ', '; } } // end for @@ -180,9 +159,6 @@ if (isset($submit)) { $query_cpy .= ' TYPE = ' . $tbl_type; } if (PMA_MYSQL_INT_VERSION >= 32300 && !empty($comment)) { - if (get_magic_quotes_gpc()) { - $comment = stripslashes($comment); - } $sql_query .= ' COMMENT = \'' . PMA_sqlAddslashes($comment) . '\''; $query_cpy .= "\n" . 'COMMENT = \'' . PMA_sqlAddslashes($comment) . '\''; } diff --git a/tbl_dump.php3 b/tbl_dump.php3 index c869f5aab..f3db609d5 100755 --- a/tbl_dump.php3 +++ b/tbl_dump.php3 @@ -289,7 +289,7 @@ else { } if ((isset($tmp_select) && strpos(' ' . $tmp_select, '|' . $table . '|')) || (!isset($tmp_select) && !empty($table))) { - $dump_buffer .= PMA_getTableXML($db, $table, $limit_from, $limit_to, $crlf, $err_url, + $dump_buffer .= PMA_getTableXML($db, $table, $limit_from, $limit_to, $crlf, $err_url, (isset($sql_query)?urldecode($sql_query):'')); } $i++; @@ -327,7 +327,7 @@ else { || (!isset($tmp_select) && !empty($table))) { // to do: add option for the formatting ( c, l, r, p) - $dump_buffer .= PMA_getTableLatex($db, $table, $environment, $limit_from, $limit_to, $crlf, $err_url, + $dump_buffer .= PMA_getTableLatex($db, $table, $environment, $limit_from, $limit_to, $crlf, $err_url, (isset($sql_query)?urldecode($sql_query):'')); } $i++; @@ -343,9 +343,6 @@ else { } else if (empty($add_character)) { $add_character = $GLOBALS['crlf']; } else { - if (get_magic_quotes_gpc()) { - $add_character = stripslashes($add_character); - } $add_character = str_replace('\\r', "\015", $add_character); $add_character = str_replace('\\n', "\012", $add_character); $add_character = str_replace('\\t', "\011", $add_character); diff --git a/tbl_indexes.php3 b/tbl_indexes.php3 index 4241a0d70..d4adce947 100644 --- a/tbl_indexes.php3 +++ b/tbl_indexes.php3 @@ -143,19 +143,6 @@ if ($fields_rs) { } -/** - * Stipslashes some variables if required - */ -if (get_magic_quotes_gpc()) { - if (isset($index)) { - $index = stripslashes($index); - } - if (isset($old_index)) { - $old_index = stripslashes($old_index); - } -} // end if - - /** * Do run the query to build the new index and moves back to * "tbl_properties.php3" @@ -212,7 +199,7 @@ if (!defined('PMA_IDX_INCLUDED') while (list($i, $name) = each($column)) { if ($name != '--ignore--') { $index_fields .= (empty($index_fields) ? '' : ',') - . PMA_backquote(get_magic_quotes_gpc() ? stripslashes($name) : $name) + . PMA_backquote($name) . (empty($sub_part[$i]) ? '' : '(' . $sub_part[$i] . ')'); } } // end while diff --git a/tbl_move_copy.php3 b/tbl_move_copy.php3 index 598c51f46..8549b1256 100644 --- a/tbl_move_copy.php3 +++ b/tbl_move_copy.php3 @@ -50,15 +50,6 @@ if (isset($new_name) && trim($new_name) != '') { $use_backquotes = 1; $asfile = 1; - if (get_magic_quotes_gpc()) { - if (!empty($target_db)) { - $target_db = stripslashes($target_db); - } else { - $target_db = stripslashes($db); - } - $new_name = stripslashes($new_name); - } - // Ensure the target is valid if (count($dblist) > 0 && (PMA_isInto($db, $dblist) == -1 || PMA_isInto($target_db, $dblist) == -1)) { diff --git a/tbl_properties.inc.php3 b/tbl_properties.inc.php3 index 641fff69c..a8e49877d 100755 --- a/tbl_properties.inc.php3 +++ b/tbl_properties.inc.php3 @@ -82,13 +82,13 @@ for ($i = 0 ; $i < $num_fields; $i++) { // Cell index: If certain fields get left out, the counter shouldn't chage. $ci = 0; - + if ($is_backup) { $content_cells[$i][$ci] = "\n" . '' . "\n"; } else { $content_cells[$i][$ci] = ''; } - + $content_cells[$i][$ci] .= "\n" . ''; $ci++; $content_cells[$i][$ci] = ''; $ci++; - + if ($is_backup) { $content_cells[$i][$ci] = "\n" . ''; } else { $content_cells[$i][$ci] = ''; } - + $content_cells[$i][$ci] .= "\n" . '' . "\n"; $ci++; - + $content_cells[$i][$ci] = ''; $ci++; - + $content_cells[$i][$ci] = ''; $ci++; - + if (isset($row) && !isset($row['Default']) && !empty($row['Null'])) { $row['Default'] = 'NULL'; @@ -200,10 +197,10 @@ for ($i = 0 ; $i < $num_fields; $i++) { } else { $content_cells[$i][5] = "\n"; } - + $content_cells[$i][$ci] .= ''; $ci++; - + $content_cells[$i][$ci] = ''; $ci++; @@ -238,7 +235,7 @@ for ($i = 0 ; $i < $num_fields; $i++) { $content_cells[$i][$ci] .= ' '; } } - + $content_cells[$i][$ci] .= ''; $ci++; @@ -251,7 +248,7 @@ for ($i = 0 ; $i < $num_fields; $i++) { $content_cells[$i][$ci] .= '' . "\n"; } } - + $content_cells[$i][$ci] .= ''; $ci++; @@ -287,19 +284,19 @@ for ($i = 0 ; $i < $num_fields; $i++) { } else { $checked_fulltext = ''; } - + $content_cells[$i][$ci] = "\n" . ''; $ci++; - + $content_cells[$i][$ci] = "\n" . ''; $ci++; - + $content_cells[$i][$ci] = "\n" . ''; $ci++; - + $content_cells[$i][$ci] = "\n" . ''; $ci++; - + if (PMA_MYSQL_INT_VERSION >= 32323) { $content_cells[$i][$ci] = ''; } // end if (PMA_MYSQL_INT_VERSION >= 32323) @@ -327,7 +324,7 @@ while(@list($content_nr, $content_row) = @each($content_cells)) { echo "\n" . '' . "\n"; $bgcolor = ($i % 2) ? $cfg['BgcolorOne'] : $cfg['BgcolorTwo']; - + while(list($content_row_nr, $content_row_val) = @each($content_row)) { ?> diff --git a/tbl_properties_operations.php3 b/tbl_properties_operations.php3 index 92449c0ef..3832d2f00 100755 --- a/tbl_properties_operations.php3 +++ b/tbl_properties_operations.php3 @@ -25,7 +25,7 @@ if (isset($submitorderby) && !empty($order_field)) { $sql_query = 'ALTER TABLE ' . PMA_backquote($table) . ' ORDER BY ' . PMA_backquote(urldecode($order_field)); $result = PMA_mysql_query($sql_query) or PMA_mysqlDie('', $sql_query, '', $err_url); - PMA_showMessage((get_magic_quotes_gpc()) ? addslashes($strSuccess) : $strSuccess); + PMA_showMessage($strSuccess); } // end if diff --git a/tbl_properties_options.php3 b/tbl_properties_options.php3 index 24d453f0e..08b24aaf8 100755 --- a/tbl_properties_options.php3 +++ b/tbl_properties_options.php3 @@ -14,9 +14,6 @@ $url_query .= '&goto=tbl_properties_options.php3&back=tbl_properties_opt * Updates table comment, type and options if required */ if (isset($submitcomment)) { - if (get_magic_quotes_gpc()) { - $comment = stripslashes($comment); - } if (empty($prev_comment) || urldecode($prev_comment) != $comment) { $sql_query = 'ALTER TABLE ' . PMA_backquote($table) . ' COMMENT = \'' . PMA_sqlAddslashes($comment) . '\''; $result = PMA_mysql_query($sql_query) or PMA_mysqlDie('', $sql_query, '', $err_url); @@ -39,7 +36,7 @@ if (isset($submitoptions)) { // Displays a message if a query had been submitted if (isset($message)) { - PMA_showMessage((get_magic_quotes_gpc()) ? addslashes($message) : $message); + PMA_showMessage($message); } diff --git a/tbl_query_box.php3 b/tbl_query_box.php3 index 8fcf731c5..dcb94cb23 100755 --- a/tbl_query_box.php3 +++ b/tbl_query_box.php3 @@ -12,9 +12,6 @@ if (isset($show_query) && $show_query == '1') { $query_to_display = $sql_query_cpy; } // Other cases - else if (get_magic_quotes_gpc()) { - $query_to_display = stripslashes($sql_query); - } else { $query_to_display = $sql_query; } @@ -67,7 +64,7 @@ if ($cfg['QueryFrame'] && (!$cfg['QueryFrameJS'] || ($cfg['QueryFrameJS'] && !$d } else { $num_dbs = 0; } - + if ($num_dbs > 0) { $queryframe_db_list = '
-
+
' . $blobtext . '' . $row[$pointer] . ' '; @@ -1487,14 +1487,8 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')) { } } // end if - // 1.3 Urlencodes the query to use in input form fields ($sql_query - // will be stripslashed in 'sql.php3' if the 'magic_quotes_gpc' - // directive is set to 'on') - if (get_magic_quotes_gpc()) { - $encoded_sql_query = urlencode(addslashes($sql_query)); - } else { - $encoded_sql_query = urlencode($sql_query); - } + // 1.3 Urlencodes the query to use in input form fields + $encoded_sql_query = urlencode($sql_query); // 2. ----- Displays the top of the page ----- diff --git a/libraries/grab_globals.lib.php3 b/libraries/grab_globals.lib.php3 index ac38b90f7..28666fcb9 100644 --- a/libraries/grab_globals.lib.php3 +++ b/libraries/grab_globals.lib.php3 @@ -5,24 +5,43 @@ /** * This library grabs the names and values of the variables sent or posted to a - * script in the '$HTTP_*_VARS' arrays and sets simple globals variables from - * them. It does the same work for the $PHP_SELF variable. + * script in the '$HTTP_*_VARS' / $_* arrays and sets simple globals variables + * from them. It does the same work for the $PHP_SELF variable. * * loic1 - 2001/25/11: use the new globals arrays defined with php 4.1+ */ if (!defined('PMA_GRAB_GLOBALS_INCLUDED')) { define('PMA_GRAB_GLOBALS_INCLUDED', 1); + function PMA_gpc_extract($array, &$target) { + if (!is_array($array)) { + return FALSE; + } + $is_magic_quotes = get_magic_quotes_gpc(); + reset($array); + while (list($key, $value) = each($array)) { + if (is_array($value)) { + PMA_gpc_extract($value, $target[$key]); + } else if ($is_magic_quotes) { + $target[$key] = stripslashes($value); + } else { + $target[$key] = $value; + } + } + reset($array); + return TRUE; + } + if (!empty($_GET)) { - extract($_GET, EXTR_OVERWRITE); + PMA_gpc_extract($_GET, $GLOBALS); } else if (!empty($HTTP_GET_VARS)) { - extract($HTTP_GET_VARS, EXTR_OVERWRITE); + PMA_gpc_extract($HTTP_GET_VARS, $GLOBALS); } // end if if (!empty($_POST)) { - extract($_POST, EXTR_OVERWRITE); + PMA_gpc_extract($_POST, $GLOBALS); } else if (!empty($HTTP_POST_VARS)) { - extract($HTTP_POST_VARS, EXTR_OVERWRITE); + PMA_gpc_extract($HTTP_POST_VARS, $GLOBALS); } // end if if (!empty($_FILES)) { @@ -46,15 +65,5 @@ if (!defined('PMA_GRAB_GLOBALS_INCLUDED')) { unset($goto); } // end if - // Strip slahes from $db / $table values - if (get_magic_quotes_gpc()) { - if (isset($db)) { - $db = stripslashes($db); - } - if (isset($table)) { - $table = stripslashes($table); - } - } - } // $__PMA_GRAB_GLOBALS_LIB__ ?> diff --git a/mult_submits.inc.php3 b/mult_submits.inc.php3 index 494a27188..bd64851df 100644 --- a/mult_submits.inc.php3 +++ b/mult_submits.inc.php3 @@ -9,9 +9,6 @@ if (!empty($submit_mult) && (!empty($selected_db) || !empty($selected_tbl) || !empty($selected_fld))) { - if (get_magic_quotes_gpc()) { - $submit_mult = stripslashes($submit_mult); - } if (!empty($selected_db)) { $selected = $selected_db; $what = 'drop_db'; @@ -31,12 +28,12 @@ if (!empty($submit_mult) case $strOptimizeTable: unset($submit_mult); $query_type = 'optimize_tbl'; - $mult_btn = (get_magic_quotes_gpc() ? addslashes($strYes) : $strYes); + $mult_btn = $strYes; break; case $strRepairTable: unset($submit_mult); $query_type = 'repair_tbl'; - $mult_btn = (get_magic_quotes_gpc() ? addslashes($strYes) : $strYes); + $mult_btn = $strYes; break; } // end switch } @@ -133,8 +130,7 @@ if (!empty($submit_mult) && !empty($what)) { /** * Executes the query */ -else if ((get_magic_quotes_gpc() && stripslashes($mult_btn) == $strYes) - || $mult_btn == $strYes) { +else if ($mult_btn == $strYes) { $sql_query = ''; $selected_cnt = count($selected); diff --git a/read_dump.php3 b/read_dump.php3 index 6180bc4e2..4fac0f103 100644 --- a/read_dump.php3 +++ b/read_dump.php3 @@ -307,9 +307,6 @@ if ($sql_file != 'none') { } } // end uploaded file stuff } -else if (empty($id_bookmark) && get_magic_quotes_gpc() == 1) { - $sql_query = stripslashes($sql_query); -} // Kanji convert SQL textfile 2002/1/4 by Y.Kawada if (@function_exists('PMA_kanji_str_conv')) { @@ -373,12 +370,7 @@ if ($sql_query != '') { if ($view_bookmark == 0) { // Only one query to run if ($pieces_count == 1 && !empty($pieces[0])) { - // sql.php3 will stripslash the query if get_magic_quotes_gpc - if (get_magic_quotes_gpc() == 1) { - $sql_query = addslashes($pieces[0]); - } else { - $sql_query = $pieces[0]; - } + $sql_query = $pieces[0]; if (eregi('^(DROP|CREATE)[[:space:]]+(IF EXISTS[[:space:]]+)?(TABLE|DATABASE)[[:space:]]+(.+)', $sql_query)) { $reload = 1; } diff --git a/server_privileges.php3 b/server_privileges.php3 index c69db4b92..733bc7e4a 100644 --- a/server_privileges.php3 +++ b/server_privileges.php3 @@ -477,7 +477,7 @@ function PMA_displayLoginInformationFields($mode = 'new', $indent = 0) . $spaces . ' ' . "\n" . $spaces . ' ' . "\n" - . $spaces . ' ' . "\n" - . $spaces . ' ' . "\n" - . $spaces . ' ' . "\n" + echo ' ' . "\n"; } @@ -1240,10 +1240,10 @@ if (empty($adduser) && empty($checkprivs)) { unset($res); unset($row); if (!empty($pred_tbl_array)) { - echo ' ' . "\n" . ' ' . "\n"; while (list(, $current_table) = each($pred_tbl_array)) { - echo ' ' . "\n"; + echo ' ' . "\n"; } echo ' ' . "\n"; } diff --git a/sql.php3 b/sql.php3 index d2589c153..07d8fc857 100755 --- a/sql.php3 +++ b/sql.php3 @@ -61,9 +61,6 @@ if (!defined('PMA_CHK_DROP') * Bookmark add */ if (isset($store_bkm)) { - if (get_magic_quotes_gpc()) { - $fields['label'] = stripslashes($fields['label']); - } include('./libraries/bookmark.lib.php3'); PMA_addBookmarks($fields, $cfg['Bookmark']); header('Location: ' . $cfg['PmaAbsoluteUri'] . $goto); @@ -83,7 +80,7 @@ if (isset($btnDrop) || isset($navig)) { * Reformat the query */ -$parsed_sql = PMA_SQP_parse((get_magic_quotes_gpc() ? stripslashes($sql_query) : $sql_query)); +$parsed_sql = PMA_SQP_parse($sql_query); $analyzed_sql = PMA_SQP_analyze($parsed_sql); // Bug #641765 - Robbat2 - 12 January 2003, 10:49PM // Reverted - Robbat2 - 13 January 2003, 2:40PM @@ -172,8 +169,6 @@ if (!$cfg['Confirm'] } if ($do_confirm) { - // already stripped at beginning of script - //$stripped_sql_query = (get_magic_quotes_gpc() ? stripslashes($sql_query) : $sql_query); $stripped_sql_query = $sql_query; include('./header.inc.php3'); echo $strDoYouReally . ' :
' . "\n"; @@ -202,10 +197,6 @@ else { if (!isset($sql_query)) { $sql_query = ''; } - // already stripped at beginning of script - // else if (get_magic_quotes_gpc()) { - // $sql_query = stripslashes($sql_query); - //} // Defines some variables // loic1: A table has to be created -> left frame should be reloaded if ((!isset($reload) || $reload == 0) diff --git a/tbl_addfield.php3 b/tbl_addfield.php3 index 7a61105ba..c1980f6e9 100755 --- a/tbl_addfield.php3 +++ b/tbl_addfield.php3 @@ -43,9 +43,6 @@ if (isset($submit)) { if (empty($field_name[$i])) { continue; } - if (get_magic_quotes_gpc()) { - $field_name[$i] = stripslashes($field_name[$i]); - } if (PMA_MYSQL_INT_VERSION < 32306) { PMA_checkReservedWords($field_name[$i], $err_url); } @@ -53,11 +50,7 @@ if (isset($submit)) { $query .= PMA_backquote($field_name[$i]) . ' ' . $field_type[$i]; if ($field_length[$i] != '' && !eregi('^(DATE|DATETIME|TIME|TINYBLOB|TINYTEXT|BLOB|TEXT|MEDIUMBLOB|MEDIUMTEXT|LONGBLOB|LONGTEXT)$', $field_type[$i])) { - if (get_magic_quotes_gpc()) { - $query .= '(' . stripslashes($field_length[$i]) . ')'; - } else { - $query .= '(' . $field_length[$i] . ')'; - } + $query .= '(' . $field_length[$i] . ')'; } if ($field_attribute[$i] != '') { $query .= ' ' . $field_attribute[$i]; @@ -65,8 +58,6 @@ if (isset($submit)) { if ($field_default[$i] != '') { if (strtoupper($field_default[$i]) == 'NULL') { $query .= ' DEFAULT NULL'; - } else if (get_magic_quotes_gpc()) { - $query .= ' DEFAULT \'' . PMA_sqlAddslashes(stripslashes($field_default[$i])) . '\''; } else { $query .= ' DEFAULT \'' . PMA_sqlAddslashes($field_default[$i]) . '\''; } @@ -95,18 +86,10 @@ if (isset($submit)) { if ($after_field == '--first--') { $query .= ' FIRST'; } else { - if (get_magic_quotes_gpc()) { - $query .= ' AFTER ' . PMA_backquote(stripslashes(urldecode($after_field))); - } else { - $query .= ' AFTER ' . PMA_backquote(urldecode($after_field)); - } + $query .= ' AFTER ' . PMA_backquote(urldecode($after_field)); } } else { - if (get_magic_quotes_gpc()) { - $query .= ' AFTER ' . PMA_backquote(stripslashes($field_name[$i-1])); - } else { - $query .= ' AFTER ' . PMA_backquote($field_name[$i-1]); - } + $query .= ' AFTER ' . PMA_backquote($field_name[$i-1]); } } $query .= ', ADD '; @@ -205,7 +188,7 @@ if (isset($submit)) { PMA_setComment($db, $table, $field_name[$fieldindex], $fieldcomment); } } - + // garvin: Update comment table for mime types [MIME] if (isset($field_mimetype) && is_array($field_mimetype) && $cfgRelation['commwork'] && $cfgRelation['mimework'] && $cfg['BrowseMIME']) { @reset($field_mimetype); diff --git a/tbl_change.php3 b/tbl_change.php3 index 7d440b10a..2591fc85a 100755 --- a/tbl_change.php3 +++ b/tbl_change.php3 @@ -18,7 +18,7 @@ require('./libraries/relation.lib.php3'); // foreign keys if (!empty($message)) { if (isset($goto)) { $goto_cpy = $goto; - $goto = 'tbl_properties.php3?' + $goto = 'tbl_properties.php3?' . PMA_generate_common_url($db, $table) . '&$show_query=1' . '&sql_query=' . urlencode($disp_query); @@ -30,7 +30,7 @@ if (!empty($message)) { unset($sql_query); } if (isset($disp_query)) { - $sql_query = (get_magic_quotes_gpc() ? stripslashes($disp_query) : $disp_query); + $sql_query = $disp_query; } PMA_showMessage($message); if (isset($goto_cpy)) { @@ -42,14 +42,6 @@ if (!empty($message)) { unset($sql_query_cpy); } } -if (get_magic_quotes_gpc()) { - if (!empty($sql_query)) { - $sql_query = stripslashes($sql_query); - } - if (!empty($primary_key)) { - $primary_key = stripslashes($primary_key); - } -} // end if /** @@ -528,7 +520,7 @@ for ($i = 0; $i < $fields_cnt; $i++) { echo "\n"; ?> 		- '; } echo '