nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

more sanitation on input vars;

Browse Source 
source documentation;
some smaller tweaks;
This commit is contained in:
Sebastian Mendel
2007-03-13 12:34:32 +00:00
parent a56222d99a
commit 9b81e50548
1 changed files with 209 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

255
db_search.php
View File

@@ -1,34 +1,121 @@
<?php
/* $Id$ */
// vim: expandtab sw=4 ts=4 sts=4:
/* vim: expandtab sw=4 ts=4 sts=4: */
/**
* Credits for this script goes to Thomas Chaumeny <chaume92 at aol.com>
* searchs the entire database
*
* @todo make use of UNION when searching multiple tables
* @todo display executed query, optional?
* @uses $cfg['UseDbSearch']
* @uses $GLOBALS['db']
* @uses $GLOBALS['strAccessDenied']
* @uses $GLOBALS['strSearchOption1']
* @uses $GLOBALS['strSearchOption2']
* @uses $GLOBALS['strSearchOption3']
* @uses $GLOBALS['strSearchOption4']
* @uses $GLOBALS['strSearchResultsFor']
* @uses $GLOBALS['strNumSearchResultsInTable']
* @uses $GLOBALS['strBrowse']
* @uses $GLOBALS['strDelete']
* @uses $GLOBALS['strNumSearchResultsTotal']
* @uses $GLOBALS['strSearchFormTitle']
* @uses $GLOBALS['strSearchNeedle']
* @uses $GLOBALS['strSearchType']
* @uses $GLOBALS['strSplitWordsWithSpace']
* @uses $GLOBALS['strSearchInTables']
* @uses $GLOBALS['strUnselectAll']
* @uses $GLOBALS['strSelectAll']
* @uses PMA_DBI_get_tables()
* @uses PMA_sqlAddslashes()
* @uses PMA_getSearchSqls()
* @uses PMA_DBI_fetch_value()
* @uses PMA_linkOrButton()
* @uses PMA_generate_common_url()
* @uses PMA_generate_common_hidden_inputs()
* @uses PMA_showMySQLDocu()
* @uses $_REQUEST['search_str']
* @uses $_REQUEST['submit_search']
* @uses $_REQUEST['search_option']
* @uses $_REQUEST['table_select']
* @uses $_REQUEST['unselectall']
* @uses $_REQUEST['selectall']
* @uses is_string()
* @uses htmlspecialchars()
* @uses array_key_exists()
* @uses is_array()
* @uses array_intersect()
* @uses sprintf()
* @uses in_array()
* @version $Id$
* @author Thomas Chaumeny <chaume92 at aol.com>
*/
require_once('./libraries/common.lib.php');
/**
*
*/
require_once './libraries/common.lib.php';
/**
* Gets some core libraries and send headers
*/
require('./libraries/db_common.inc.php');
// If config variable $cfg['Usedbsearch'] is on FALSE : exit.
if (!$cfg['UseDbSearch']) {
PMA_mysqlDie($strAccessDenied, '', FALSE, $err_url);
require './libraries/db_common.inc.php';
/**
* init
*/
// If config variable $GLOBALS['cfg']['Usedbsearch'] is on false : exit.
if (! $GLOBALS['cfg']['UseDbSearch']) {
PMA_mysqlDie($GLOBALS['strAccessDenied'], '', false, $err_url);
} // end if
$url_query .= '&amp;goto=db_search.php';
$url_params['goto'] = 'db_search.php';
/**
* Get the list of tables from the current database
* @global array list of tables from the current database
*/
$tables = PMA_DBI_get_tables($GLOBALS['db']);
$num_tables = count( $tables );
$search_options = array(
'1' => $GLOBALS['strSearchOption1'],
'2' => $GLOBALS['strSearchOption2'],
'3' => $GLOBALS['strSearchOption3'],
'4' => $GLOBALS['strSearchOption4'],
);
if (empty($_REQUEST['search_str']) || ! is_string($_REQUEST['search_str'])) {
unset($_REQUEST['submit_search']);
$searched = '';
} else {
$searched = htmlspecialchars($_REQUEST['search_str']);
$search_str = PMA_sqlAddslashes($_REQUEST['search_str'], true);
}
if (empty($_REQUEST['search_option']) || ! is_string($_REQUEST['search_option'])
|| ! array_key_exists($_REQUEST['search_option'], $search_options)) {
$search_option = 1;
unset($_REQUEST['submit_search']);
} else {
$search_option = (int) $_REQUEST['search_option'];
$option_str = $search_options[$_REQUEST['search_option']];
}
$tables_selected = array();
if (empty($_REQUEST['table_select']) || ! is_array($_REQUEST['table_select'])) {
unset($_REQUEST['submit_search']);
} elseif (! isset($_REQUEST['selectall']) && ! isset($_REQUEST['unselectall'])) {
$tables_selected = array_intersect($_REQUEST['table_select'], $tables);
}
if (isset($_REQUEST['selectall'])) {
$tables_selected = $tables;
} elseif (isset($_REQUEST['unselectall'])) {
$tables_selected = array();
}
/**
* Displays top links
*/
$sub_part = '';
require('./libraries/db_links.inc.php');
require './libraries/db_links.inc.php';
/**
@@ -39,6 +126,16 @@ if (isset($_REQUEST['submit_search'])) {
/**
* Builds the SQL search query
*
* @todo can we make use of fulltextsearch IN BOOLEAN MODE for this?
* @uses PMA_DBI_query
* PMA_MYSQL_INT_VERSION
* PMA_backquote
* PMA_DBI_free_result
* PMA_DBI_fetch_assoc
* $GLOBALS['db']
* explode
* count
* strlen
* @param string the table name
* @param string the string to search
* @param integer type of search (1 -> 1 word at least, 2 -> all words,
@@ -47,6 +144,7 @@ if (isset($_REQUEST['submit_search'])) {
* @return array 3 SQL querys (for count, display and delete results)
*
* @global string the url to return to in case of errors
* @global string charset connection
*/
function PMA_getSearchSqls($table, $search_str, $search_option)
{
@@ -67,58 +165,58 @@ if (isset($_REQUEST['submit_search'])) {
} // while
PMA_DBI_free_result($res);
unset($current, $res);
$tblfields_cnt = count($tblfields);
// Table to use
$sqlstr_from = ' FROM ' . PMA_backquote($GLOBALS['db']) . '.' . PMA_backquote($table);
// Beginning of WHERE clause
$sqlstr_where = ' WHERE';
$search_words = (($search_option > 2) ? array($search_str) : explode(' ', $search_str));
$search_wds_cnt = count($search_words);
$like_or_regex = (($search_option == 4) ? 'REGEXP' : 'LIKE');
$automatic_wildcard = (($search_option <3) ? '%' : '');
for ($i = 0; $i < $search_wds_cnt; $i++) {
$fieldslikevalues = array();
foreach ($search_words as $search_word) {
// Eliminates empty values
// In MySQL 4.1, if a field has no collation we get NULL in Charset
// but in MySQL 5.0.x we get ''
if (!empty($search_words[$i])) {
for ($j = 0; $j < $tblfields_cnt; $j++) {
if (PMA_MYSQL_INT_VERSION >= 40100 && $tblfields[$j]['Charset'] != $charset_connection && $tblfields[$j]['Charset'] != 'NULL' && $tblfields[$j]['Charset'] != '') {
if (strlen($search_words) === 0) {
continue;
}
$thefieldlikevalue = array();
foreach ($tblfields as $tblfield) {
if (PMA_MYSQL_INT_VERSION >= 40100
&& $tblfield['Charset'] != $charset_connection
&& $tblfield['Charset'] != 'NULL'
&& $tblfield['Charset'] != '') {
$prefix = 'CONVERT(_utf8 ';
$suffix = ' USING ' . $tblfields[$j]['Charset'] . ') COLLATE ' . $tblfields[$j]['Collation'];
$suffix = ' USING ' . $tblfield['Charset'] . ') COLLATE ' . $tblfield['Collation'];
} else {
$prefix = $suffix = '';
}
$thefieldlikevalue[] = $tblfields[$j]['Field']
$thefieldlikevalue[] = $tblfield['Field']
. ' ' . $like_or_regex . ' '
. $prefix
. '\''
. "'"
. $automatic_wildcard
. $search_words[$i]
. $automatic_wildcard . '\''
. $search_word
. $automatic_wildcard . "'"
. $suffix;
} // end for
$fieldslikevalues[] = ($search_wds_cnt > 1)
? '(' . implode(' OR ', $thefieldlikevalue) . ')'
: implode(' OR ', $thefieldlikevalue);
unset($thefieldlikevalue);
} // end if
$fieldslikevalues[] = implode(' OR ', $thefieldlikevalue);
} // end for
$implode_str = ($search_option == 1 ? ' OR ' : ' AND ');
$sqlstr_where .= ' ' . implode($implode_str, $fieldslikevalues);
$sqlstr_where = ' WHERE (' . implode(') ' . $implode_str . ' (', $fieldslikevalues) . ')';
unset($fieldslikevalues);
// Builds complete queries
$sql['select_fields'] = $sqlstr_select . ' * ' . $sqlstr_from . $sqlstr_where;
// here, I think we need to still use the COUNT clause, even for
// VIEWs, anyway we have a WHERE clause that should limit results
$sql['select_count'] = $sqlstr_select . ' COUNT(*) AS count' . $sqlstr_from . $sqlstr_where;
$sql['select_count'] = $sqlstr_select . ' COUNT(*) AS `count`' . $sqlstr_from . $sqlstr_where;
$sql['delete'] = $sqlstr_delete . $sqlstr_from . $sqlstr_where;
return $sql;
@@ -128,31 +226,6 @@ if (isset($_REQUEST['submit_search'])) {
/**
* Displays the results
*/
if (!empty($_REQUEST['search_str']) && !empty($_REQUEST['search_option'])) {
$original_search_str = $_REQUEST['search_str'];
$search_str = PMA_sqlAddslashes($_REQUEST['search_str'], TRUE);
// Get the true string to display as option's comment
switch ($_REQUEST['search_option']) {
case 1:
$option_str = ' (' . $strSearchOption1 . ')';
$search_option = 1;
break;
case 2:
$option_str = ' (' . $strSearchOption2 . ')';
$search_option = 2;
break;
case 3:
$option_str = ' (' . $strSearchOption3 . ')';
$search_option = 3;
break;
case 4:
$option_str = ' (' . $strSearchOption4 . ')';
$search_option = 4;
break;
} // end switch
$this_url_params = array(
'db' => $GLOBALS['db'],
'goto' => 'db_sql.php',
@@ -164,14 +237,14 @@ if (isset($_REQUEST['submit_search'])) {
echo '<br />' . "\n"
.'<table class="data">' . "\n"
.'<caption class="tblHeaders">' . "\n"
.sprintf($strSearchResultsFor,
htmlspecialchars($original_search_str), $option_str) . "\n"
.sprintf($GLOBALS['strSearchResultsFor'],
$searched, $option_str) . "\n"
.'</caption>' . "\n";
$num_search_result_total = 0;
$odd_row = true;
foreach ( $_REQUEST['table_select'] as $each_table ) {
foreach ($tables_selected as $each_table) {
// Gets the SQL statements
$newsearchsqls = PMA_getSearchSqls($each_table,
$search_str, $search_option);
@@ -180,20 +253,22 @@ if (isset($_REQUEST['submit_search'])) {
$res_cnt = PMA_DBI_fetch_value($newsearchsqls['select_count']);
$num_search_result_total += $res_cnt;
$sql_query .= $newsearchsqls['select_count'];
echo '<tr class="' . ($odd_row ? 'odd' : 'even') . '">'
.'<td>' . sprintf($strNumSearchResultsInTable, $res_cnt,
.'<td>' . sprintf($GLOBALS['strNumSearchResultsInTable'], $res_cnt,
htmlspecialchars($each_table)) . "</td>\n";
if ($res_cnt > 0) {
$this_url_params['sql_query'] = $newsearchsqls['select_fields'];
echo '<td>' . PMA_linkOrButton(
'sql.php' . PMA_generate_common_url($this_url_params),
$strBrowse, '') . "</td>\n";
$GLOBALS['strBrowse'], '') . "</td>\n";
$this_url_params['sql_query'] = $newsearchsqls['delete'];
echo '<td>' . PMA_linkOrButton(
'sql.php' . PMA_generate_common_url($this_url_params),
$strDelete, $newsearchsqls['delete']) . "</td>\n";
$GLOBALS['strDelete'], $newsearchsqls['delete']) . "</td>\n";
} else {
echo '<td>&nbsp;</td>' . "\n"
@@ -205,70 +280,58 @@ if (isset($_REQUEST['submit_search'])) {
echo '</table>' . "\n";
if ( count($_REQUEST['table_select']) > 1 ) {
echo '<p>' . sprintf($strNumSearchResultsTotal,
if (count($tables_selected) > 1) {
echo '<p>' . sprintf($GLOBALS['strNumSearchResultsTotal'],
$num_search_result_total) . '</p>' . "\n";
}
} // end if (!empty($search_str) && !empty($search_option))
} // end 1.
/**
* 2. Displays the main search form
*/
echo "\n";
$searched = (isset($original_search_str))
? htmlspecialchars($original_search_str)
: '';
if (empty($search_option)) {
$search_option = 1;
}
?>
<a name="db_search"></a>
<form method="post" action="db_search.php" name="db_search">
<?php echo PMA_generate_common_hidden_inputs($GLOBALS['db']); ?>
<fieldset>
<legend><?php echo $strSearchFormTitle; ?></legend>
<legend><?php echo $GLOBALS['strSearchFormTitle']; ?></legend>
<table class="formlayout">
<tr><td><?php echo $strSearchNeedle; ?></td>
<tr><td><?php echo $GLOBALS['strSearchNeedle']; ?></td>
<td><input type="text" name="search_str" size="60"
value="<?php echo $searched; ?>" /></td>
</tr>
<tr><td align="right" valign="top">
<?php echo $strSearchType; ?></td>
<?php echo $GLOBALS['strSearchType']; ?></td>
<td><input type="radio" id="search_option_1" name="search_option"
value="1"<?php if ($search_option == 1) echo ' checked="checked"'; ?> />
<label for="search_option_1">
<?php echo $strSearchOption1; ?></label><sup>1</sup><br />
<?php echo $GLOBALS['strSearchOption1']; ?></label><sup>1</sup><br />
<input type="radio" id="search_option_2" name="search_option"
value="2"<?php if ($search_option == 2) echo ' checked="checked"'; ?> />
<label for="search_option_2">
<?php echo $strSearchOption2; ?></label><sup>1</sup><br />
<?php echo $GLOBALS['strSearchOption2']; ?></label><sup>1</sup><br />
<input type="radio" id="search_option_3" name="search_option"
value="3"<?php if ($search_option == 3) echo ' checked="checked"'; ?> />
<label for="search_option_3">
<?php echo $strSearchOption3; ?></label><br />
<?php echo $GLOBALS['strSearchOption3']; ?></label><br />
<input type="radio" id="search_option_4" name="search_option"
value="4"<?php if ($search_option == 4) echo ' checked="checked"'; ?> />
<label for="search_option_4">
<?php echo $strSearchOption4; ?></label>
<?php echo $GLOBALS['strSearchOption4']; ?></label>
<?php echo PMA_showMySQLDocu('Regexp', 'Regexp'); ?><br />
<br />
<sup>1</sup><?php echo $strSplitWordsWithSpace; ?></td>
<sup>1</sup><?php echo $GLOBALS['strSplitWordsWithSpace']; ?></td>
</tr>
<tr><td align="right" valign="top">
<?php echo $strSearchInTables; ?></td>
<?php echo $GLOBALS['strSearchInTables']; ?></td>
<td rowspan="2">
<?php
echo ' <select name="table_select[]" size="6" multiple="multiple">' . "\n";
foreach ($tables as $each_table) {
if ( isset($_REQUEST['unselectall'])) {
$is_selected = '';
} elseif ( ! isset($_REQUEST['table_select'])
|| in_array($each_table, $_REQUEST['table_select'])
|| isset($_REQUEST['selectall']) ) {
if (in_array($each_table, $tables_selected)) {
$is_selected = ' selected="selected"';
} else {
$is_selected = '';
@@ -278,31 +341,31 @@ foreach ( $tables as $each_table ) {
. $is_selected . '>'
. htmlspecialchars($each_table) . '</option>' . "\n";
} // end while
echo ' </select>' . "\n";
$strDoSelectAll = '<a href="db_search.php?' . $url_query . '&amp;selectall=1#db_search"'
. ' onclick="setSelectOptions(\'db_search\', \'table_select[]\', true); return false;">' . $strSelectAll . '</a>'
$alter_select =
'<a href="db_search.php' . PMA_generate_common_url(array_merge($url_params, array('selectall' => 1))) . '#db_search"'
. ' onclick="setSelectOptions(\'db_search\', \'table_select[]\', true); return false;">' . $GLOBALS['strSelectAll'] . '</a>'
. '&nbsp;/&nbsp;'
. '<a href="db_search.php?' . $url_query . '&amp;unselectall=1#db_search"'
. ' onclick="setSelectOptions(\'db_search\', \'table_select[]\', false); return false;">' . $strUnselectAll . '</a>';
. '<a href="db_search.php' . PMA_generate_common_url(array_merge($url_params, array('unselectall' => 1))) . '#db_search"'
. ' onclick="setSelectOptions(\'db_search\', \'table_select[]\', false); return false;">' . $GLOBALS['strUnselectAll'] . '</a>';
?>
</td>
</tr>
<tr><td align="right" valign="bottom">
<?php echo $strDoSelectAll; ?></td></tr>
<?php echo $alter_select; ?></td></tr>
</tr>
</table>
</fieldset>
<fieldset class="tblFooters">
<input type="submit" name="submit_search" value="<?php echo $strGo; ?>"
<input type="submit" name="submit_search" value="<?php echo $GLOBALS['strGo']; ?>"
id="buttonGo" />
</fieldset>
</form>
<?php
/**
* Displays the footer
*/
echo "\n";
require_once('./libraries/footer.inc.php');
require_once './libraries/footer.inc.php';
?>