nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixes for HTML entities in field/table/db names

Browse Source
This commit is contained in:
Michal Čihař
2003-03-26 14:02:16 +00:00
parent be41dc5bc5
commit b4cadaf745
10 changed files with 23 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@@ -5,6 +5,12 @@ phpMyAdmin - Changelog
$Id$ $Id$
$Source$ $Source$
2003-03-26 Michal Cihar <nijel@users.sourceforge.net>
* db_details.php3, db_details_qbe.php3, left.php3, tbl_change.php3,
tbl_properties_operations.php3, tbl_properties_structure.php3,
tbl_query_box.php3, tbl_select.php3, libraries/common.lib.php3: Even
more fixes for HTML entities in field/table/db name.
2003-03-25 Alexander M. Turek <rabus@users.sourceforge.net> 2003-03-25 Alexander M. Turek <rabus@users.sourceforge.net>
* Documentation.html: Fixed GRANT queries for the controluser. * Documentation.html: Fixed GRANT queries for the controluser.

4
db_details.php3
View File

@@ -58,7 +58,7 @@ $auto_sel = ($cfg['TextareaAutoSelect']
<input type="hidden" name="pos" value="0" /> <input type="hidden" name="pos" value="0" />
<input type="hidden" name="goto" value="db_details.php3" /> <input type="hidden" name="goto" value="db_details.php3" />
<input type="hidden" name="zero_rows" value="<?php echo htmlspecialchars($strSuccess); ?>" /> <input type="hidden" name="zero_rows" value="<?php echo htmlspecialchars($strSuccess); ?>" />
<input type="hidden" name="prev_sql_query" value="<?php echo ((!empty($query_to_display)) ? urlencode($query_to_display) : ''); ?>" /> <input type="hidden" name="prev_sql_query" value="<?php echo ((!empty($query_to_display)) ? htmlspecialchars($query_to_display) : ''); ?>" />
<?php echo sprintf($strRunSQLQuery, $db) . ' ' . PMA_showMySQLDocu('Reference', 'SELECT'); ?>&nbsp;:<br /> <?php echo sprintf($strRunSQLQuery, $db) . ' ' . PMA_showMySQLDocu('Reference', 'SELECT'); ?>&nbsp;:<br />
<div style="margin-bottom: 5px"> <div style="margin-bottom: 5px">
<textarea name="sql_query" cols="<?php echo $cfg['TextareaCols'] * 2; ?>" rows="<?php echo $cfg['TextareaRows']; ?>" wrap="virtual" dir="<?php echo $text_dir; ?>"<?php echo $auto_sel; ?>> <textarea name="sql_query" cols="<?php echo $cfg['TextareaCols'] * 2; ?>" rows="<?php echo $cfg['TextareaRows']; ?>" wrap="virtual" dir="<?php echo $text_dir; ?>"<?php echo $auto_sel; ?>>
@@ -159,7 +159,7 @@ if ($cfg['Bookmark']['db'] && $cfg['Bookmark']['table']) {
echo ' <select name="id_bookmark">' . "\n"; echo ' <select name="id_bookmark">' . "\n";
echo ' <option value=""></option>' . "\n"; echo ' <option value=""></option>' . "\n";
while (list($key, $value) = each($bookmark_list)) { while (list($key, $value) = each($bookmark_list)) {
echo ' <option value="' . $value . '">' . htmlentities($key) . '</option>' . "\n"; echo ' <option value="' . htmlspecialchars($value) . '">' . htmlspecialchars($key) . '</option>' . "\n";
} }
echo ' </select>' . "<br />\n"; echo ' </select>' . "<br />\n";
echo ' ' . $strVar . ' (<a href="./Documentation.html#faqbookmark" target="documentation">' . $strDocu . '</a>): <input type="text" name="bookmark_variable" class="textfield" size="10" />' . "\n"; echo ' ' . $strVar . ' (<a href="./Documentation.html#faqbookmark" target="documentation">' . $strDocu . '</a>): <input type="text" name="bookmark_variable" class="textfield" size="10" />' . "\n";

6
db_details_qbe.php3
View File

@@ -198,7 +198,7 @@ for ($x = 0; $x < $col; $x++) {
$sel = ''; $sel = '';
} }
echo ' '; echo ' ';
echo '<option value="' . urlencode($fld[$y]) . '"' . $sel . '>' . htmlspecialchars($fld[$y]) . '</option>' . "\n"; echo '<option value="' . htmlspecialchars($fld[$y]) . '"' . $sel . '>' . htmlspecialchars($fld[$y]) . '</option>' . "\n";
} // end for } // end for
?> ?>
</select> </select>
@@ -225,7 +225,7 @@ for ($x = 0; $x < $col; $x++) {
$sel = ''; $sel = '';
} // end if } // end if
echo ' '; echo ' ';
echo '<option value="' . urlencode($fld[$y]) . '"' . $sel . '>' . htmlspecialchars($fld[$y]) . '</option>' . "\n"; echo '<option value="' . htmlspecialchars($fld[$y]) . '"' . $sel . '>' . htmlspecialchars($fld[$y]) . '</option>' . "\n";
} // end for } // end for
?> ?>
</select> </select>
@@ -632,7 +632,7 @@ for ($x = 0; $x < $col; $x++) {
<?php <?php
while (list($key, $val) = each($tbl_names)) { while (list($key, $val) = each($tbl_names)) {
echo ' '; echo ' ';
echo '<option value="' . urlencode($key) . '"' . $val . '>' . htmlspecialchars($key) . '</option>' . "\n"; echo '<option value="' . htmlspecialchars($key) . '"' . $val . '>' . htmlspecialchars($key) . '</option>' . "\n";
} }
?> ?>
</select> </select>

4
left.php3
View File

@@ -307,9 +307,9 @@ if ($num_dbs > 1) {
} // end if... else... } // end if... else...
if (!empty($num_tables)) { if (!empty($num_tables)) {
echo ' <option value="' . urlencode($db) . '"' . $selected . '>' . ($db_tooltip != '' && $cfg['ShowTooltipAliasDB'] ? htmlspecialchars($db_tooltip) : htmlspecialchars($db)) . ' (' . $num_tables . ')</option>' . "\n"; echo ' <option value="' . htmlspecialchars($db) . '"' . $selected . '>' . ($db_tooltip != '' && $cfg['ShowTooltipAliasDB'] ? htmlspecialchars($db_tooltip) : htmlspecialchars($db)) . ' (' . $num_tables . ')</option>' . "\n";
} else { } else {
echo ' <option value="' . urlencode($db) . '"' . $selected . '>' . ($db_tooltip != '' && $cfg['ShowTooltipAliasDB'] ? htmlspecialchars($db_tooltip) : htmlspecialchars($db)) . ' (-)</option>' . "\n"; echo ' <option value="' . htmlspecialchars($db) . '"' . $selected . '>' . ($db_tooltip != '' && $cfg['ShowTooltipAliasDB'] ? htmlspecialchars($db_tooltip) : htmlspecialchars($db)) . ' (-)</option>' . "\n";
} // end if... else... } // end if... else...
} // end if (light mode) } // end if (light mode)

2
libraries/common.lib.php3
View File

@@ -1167,7 +1167,7 @@ h1 {font-family: sans-serif; font-size: large; font-weight: bold}
function PMA_jsFormat($a_string = '', $add_backquotes = TRUE) function PMA_jsFormat($a_string = '', $add_backquotes = TRUE)
{ {
if (is_string($a_string)) { if (is_string($a_string)) {
$a_string = htmlentities($a_string); $a_string = htmlspecialchars($a_string);
$a_string = str_replace('\\', '\\\\', $a_string); $a_string = str_replace('\\', '\\\\', $a_string);
$a_string = str_replace('\'', '\\\'', $a_string); $a_string = str_replace('\'', '\\\'', $a_string);
$a_string = str_replace('#', '\\#', $a_string); $a_string = str_replace('#', '\\#', $a_string);

4
tbl_change.php3
View File

@@ -487,7 +487,7 @@ for ($i = 0; $i < $fields_cnt; $i++) {
// Removes automatic MySQL escape format // Removes automatic MySQL escape format
$enum_atom = str_replace('\'\'', '\'', str_replace('\\\\', '\\', $enum[$j])); $enum_atom = str_replace('\'\'', '\'', str_replace('\\\\', '\\', $enum[$j]));
echo ' '; echo ' ';
echo '<option value="' . urlencode($enum_atom) . '"'; echo '<option value="' . htmlspecialchars($enum_atom) . '"';
if ($data == $enum_atom if ($data == $enum_atom
|| ($data == '' && (!isset($primary_key) || $row_table_def['Null'] != 'YES') || ($data == '' && (!isset($primary_key) || $row_table_def['Null'] != 'YES')
&& isset($row_table_def['Default']) && $enum_atom == $row_table_def['Default'])) { && isset($row_table_def['Default']) && $enum_atom == $row_table_def['Default'])) {
@@ -549,7 +549,7 @@ for ($i = 0; $i < $fields_cnt; $i++) {
// Removes automatic MySQL escape format // Removes automatic MySQL escape format
$subset = str_replace('\'\'', '\'', str_replace('\\\\', '\\', $subset)); $subset = str_replace('\'\'', '\'', str_replace('\\\\', '\\', $subset));
echo ' '; echo ' ';
echo '<option value="'. urlencode($subset) . '"'; echo '<option value="'. htmlspecialchars($subset) . '"';
if (isset($vset[$subset]) && $vset[$subset]) { if (isset($vset[$subset]) && $vset[$subset]) {
echo ' selected="selected"'; echo ' selected="selected"';
} }

2
tbl_properties_operations.php3
View File

@@ -65,7 +65,7 @@ if (PMA_MYSQL_INT_VERSION >= 32334) {
echo "\n"; echo "\n";
reset($columns); reset($columns);
while (list($junk, $fieldname) = each($columns)) { while (list($junk, $fieldname) = each($columns)) {
echo ' <option value="' . urlencode($fieldname) . '">' . htmlspecialchars($fieldname) . '</option>' . "\n"; echo ' <option value="' . htmlspecialchars($fieldname) . '">' . htmlspecialchars($fieldname) . '</option>' . "\n";
} }
unset($columns); unset($columns);
?> ?>

2
tbl_properties_structure.php3
View File

@@ -605,7 +605,7 @@ echo "\n";
<?php <?php
reset($aryFields); reset($aryFields);
while (list($junk, $fieldname) = each($aryFields)) { while (list($junk, $fieldname) = each($aryFields)) {
echo ' <option value="' . urlencode($fieldname) . '">' . sprintf($strAfter, htmlspecialchars($fieldname)) . '</option>' . "\n"; echo ' <option value="' . htmlspecialchars($fieldname) . '">' . sprintf($strAfter, htmlspecialchars($fieldname)) . '</option>' . "\n";
} }
unset($aryFields); unset($aryFields);
?> ?>

2
tbl_query_box.php3
View File

@@ -228,7 +228,7 @@ if (!isset($is_inside_querywindow) ||
echo ' <select name="id_bookmark" style="vertical-align: middle">' . "\n"; echo ' <select name="id_bookmark" style="vertical-align: middle">' . "\n";
echo ' <option value=""></option>' . "\n"; echo ' <option value=""></option>' . "\n";
while (list($key, $value) = each($bookmark_list)) { while (list($key, $value) = each($bookmark_list)) {
echo ' <option value="' . $value . '">' . htmlentities($key) . '</option>' . "\n"; echo ' <option value="' . $value . '">' . htmlspecialchars($key) . '</option>' . "\n";
} }
echo ' </select>' . "<br />\n"; echo ' </select>' . "<br />\n";
echo ' ' . $strVar . ' (<a href="./Documentation.html#faqbookmark" target="documentation">' . $strDocu . '</a>): <input type="text" name="bookmark_variable" class="textfield" size="10" />' . "\n"; echo ' ' . $strVar . ' (<a href="./Documentation.html#faqbookmark" target="documentation">' . $strDocu . '</a>): <input type="text" name="bookmark_variable" class="textfield" size="10" />' . "\n";

8
tbl_select.php3
View File

@@ -81,7 +81,7 @@ if (!isset($param) || $param[0] == '') {
echo "\n"; echo "\n";
// Displays the list of the fields // Displays the list of the fields
for ($i = 0 ; $i < $fields_cnt; $i++) { for ($i = 0 ; $i < $fields_cnt; $i++) {
echo ' <option value="' . urlencode($fields_list[$i]) . '" selected="selected">' . htmlspecialchars($fields_list[$i]) . '</option>' . "\n"; echo ' <option value="' . htmlspecialchars($fields_list[$i]) . '" selected="selected">' . htmlspecialchars($fields_list[$i]) . '</option>' . "\n";
} }
?> ?>
</select><br /> </select><br />
@@ -152,7 +152,7 @@ if (!isset($param) || $param[0] == '') {
while ($relrow = @PMA_mysql_fetch_array($disp)) { while ($relrow = @PMA_mysql_fetch_array($disp)) {
$key = $relrow[$foreign_field]; $key = $relrow[$foreign_field];
$value = (($foreign_display != FALSE) ? '-' . htmlspecialchars($relrow[$foreign_display]) : ''); $value = (($foreign_display != FALSE) ? '-' . htmlspecialchars($relrow[$foreign_display]) : '');
echo ' <option value="' . urlencode($key) . '">' echo ' <option value="' . htmlspecialchars($key) . '">'
. htmlspecialchars($key) . $value . '</option>' . "\n"; . htmlspecialchars($key) . $value . '</option>' . "\n";
} // end while } // end while
echo ' </select>' . "\n"; echo ' </select>' . "\n";
@@ -171,7 +171,7 @@ if (!isset($param) || $param[0] == '') {
} }
?> ?>
<input type="hidden" name="names[]" value="<?php echo urlencode($fields_list[$i]); ?>" /> <input type="hidden" name="names[]" value="<?php echo htmlspecialchars($fields_list[$i]); ?>" />
<input type="hidden" name="types[]" value="<?php echo $fields_type[$i]; ?>" /> <input type="hidden" name="types[]" value="<?php echo $fields_type[$i]; ?>" />
</td> </td>
</tr> </tr>
@@ -189,7 +189,7 @@ if (!isset($param) || $param[0] == '') {
echo "\n"; echo "\n";
for ($i = 0; $i < $fields_cnt; $i++) { for ($i = 0; $i < $fields_cnt; $i++) {
echo ' '; echo ' ';
echo '<option value="' . urlencode($fields_list[$i]) . '">' . htmlspecialchars($fields_list[$i]) . '</option>' . "\n"; echo '<option value="' . htmlspecialchars($fields_list[$i]) . '">' . htmlspecialchars($fields_list[$i]) . '</option>' . "\n";
} // end for } // end for
?> ?>
</select> </select>