improved a bit Olivier's patch about the "Drop database" restrictions
This commit is contained in:
Loïc Chapeaux
10
ChangeLog
10
ChangeLog
@@ -9,10 +9,10 @@ $Source$
|
||||
* db_stats.php3: added list of 20 biggest db's.
|
||||
* lib.inc.php3: fixed the socket patch, should work now.
|
||||
* lib.inc.php3: re-fixed :)
|
||||
* config.inc.php3, config.php3, Docs, sql.php3: added configuration variable
|
||||
$cfgAllowUserDropDatabase (set by default to FALSE), which will display
|
||||
or not the link "Drop database" and reject the command if the user is
|
||||
not allowed to run it (requested by <lance@uklinux.net>).
|
||||
* config.inc.php3, config.php3, Docs, sql.php3: added configuration
|
||||
variable $cfgAllowUserDropDatabase (set by default to FALSE), which will
|
||||
display or not the link "Drop database" and reject the command if the
|
||||
user is not allowed to run it (requested by <lance@uklinux.net>).
|
||||
|
||||
2001-08-21 Lo<4C>c Chapeaux <lolo@phpheaven.net>
|
||||
* db_stats.php3: ensured the script is XHTML1.0 compliant and fits the
|
||||
@@ -36,6 +36,8 @@ $Source$
|
||||
tbl_properties.inc.php3; tbl_properties.php3; user_details.php3:
|
||||
replaced MYSQL_MAJOR_VERSION and MYSQL_MINOR_VERSION constants by
|
||||
MYSQL_INT_VERSION.
|
||||
* db_details.php3; sql.php3; db_readdump.php3; lang/*: improved a bit
|
||||
Olivier's patch about the "Drop database" restrictions.
|
||||
|
||||
2001-08-20 Olivier M<>ller <om@omnis.ch>
|
||||
* db_stats.php3: new file and feature (sorry :) : simply display an
|
||||
|
||||
@@ -544,31 +544,27 @@ echo ' ' . ' <input type="submit" value="' . $strGo . '" />' . "\n";
|
||||
</li>
|
||||
|
||||
<?php
|
||||
|
||||
// Check if the user is a Superuser - TODO: set a global variable with this information
|
||||
|
||||
$is_superuser = FALSE;
|
||||
// Check if the user is a Superuser
|
||||
// TODO: set a global variable with this information
|
||||
$result = mysql_query('SELECT * FROM mysql.user');
|
||||
$rows = @mysql_num_rows($result);
|
||||
if (!empty($rows)) { $is_superuser = TRUE; }
|
||||
// loic1: empry <> 0 with ceratin php3 releases
|
||||
$is_superuser = (!empty($rows) || $rows != 0);
|
||||
|
||||
// Display the DROP DATABASE link only if allowed to do so
|
||||
|
||||
if ($cfgAllowUserDropDatabase || $is_superuser) {
|
||||
?>
|
||||
|
||||
<!-- Drop database -->
|
||||
<li>
|
||||
<a href="sql.php3?server=<?php echo $server; ?>&lang=<?php echo $lang; ?>&db=<?php echo $db; ?>&sql_query=<?php echo urlencode('DROP DATABASE ' . backquote($db)); ?>&zero_rows=<?php echo urlencode($strDatabase . ' ' . htmlspecialchars(backquote($db)) . ' ' . $strHasBeenDropped); ?>&goto=main.php3&back=db_details.php3&reload=true">
|
||||
<?php echo $strDropDB . ' ' . htmlspecialchars($db); ?></a>
|
||||
<?php echo show_docu('manual_Reference.html#DROP_DATABASE') . "\n"; ?>
|
||||
</li>
|
||||
|
||||
<?php
|
||||
}
|
||||
echo "\n";
|
||||
?>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
@@ -70,6 +70,21 @@ if (!empty($prev_sql_query)) {
|
||||
}
|
||||
}
|
||||
|
||||
// Drop database is not allowed -> ensure the query can be run
|
||||
if (!$cfgAllowUserDropDatabase
|
||||
&& eregi('DROP[[:space:]]+(IF EXISTS[[:space:]]+)?DATABASE ', $sql_query)) {
|
||||
// Checks if the user is a Superuser
|
||||
// TODO: set a global variable with this information
|
||||
$result = mysql_query('SELECT * FROM mysql.user');
|
||||
$rows = @mysql_num_rows($result);
|
||||
// empty <> 0 for certain php3 releases
|
||||
if (empty($rows) || $rows == 0) {
|
||||
include('./header.inc.php3');
|
||||
mysql_die($strNoDropDatabases);
|
||||
}
|
||||
}
|
||||
define('PMA_CHK_DROP', 1);
|
||||
|
||||
// Copy the query, used for display purposes only
|
||||
$sql_query_cpy = $sql_query;
|
||||
|
||||
|
||||
26
sql.php3
26
sql.php3
@@ -8,27 +8,23 @@
|
||||
require('./grab_globals.inc.php3');
|
||||
require('./lib.inc.php3');
|
||||
|
||||
|
||||
/**
|
||||
* Check rights in case of DROP DATABASE
|
||||
*/
|
||||
|
||||
if (eregi('DROP DATABASE', $sql_query)) {
|
||||
// Check if the user is a Superuser - TODO: set a global variable with this information
|
||||
|
||||
$is_superuser = FALSE;
|
||||
if (!is_defined('PMA_CHK_DROP')
|
||||
&& !$cfgAllowUserDropDatabase
|
||||
&& eregi('DROP[[:space:]]+(IF EXISTS[[:space:]]+)?DATABASE ', $sql_query)) {
|
||||
// Checks if the user is a Superuser
|
||||
// TODO: set a global variable with this information
|
||||
$result = mysql_query('SELECT * FROM mysql.user');
|
||||
$rows = @mysql_num_rows($result);
|
||||
if (!empty($rows)) { $is_superuser = TRUE; }
|
||||
|
||||
if (!$cfgAllowUserDropDatabase && !$is_superuser) {
|
||||
// empty <> 0 for certain php3 releases
|
||||
if (empty($rows) || $rows == 0) {
|
||||
include('./header.inc.php3');
|
||||
echo '<b>' . $strAccessDenied . '</b>' . "\n";
|
||||
require('./footer.inc.php3');
|
||||
exit();
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
mysql_die($strNoDropDatabases);
|
||||
} // end if
|
||||
} // end if
|
||||
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user