nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix escaping of long query with js (thanks to Erwin for report).

Browse Source
This commit is contained in:
Michal Čihař
2006-10-19 15:57:17 +00:00
parent 384c97721c
commit dea9bc31fe
2 changed files with 25 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog
View File

@@ -5,6 +5,10 @@ phpMyAdmin - ChangeLog
$Id$ $Id$
$Source$ $Source$
2006-10-19 Michal Čihař <michal@cihar.com>
* libraries/common.lib.php: Fix escaping of long query with js (thanks to
Erwin for report).
2006-10-18 Marc Delisle <lem9@users.sourceforge.net> 2006-10-18 Marc Delisle <lem9@users.sourceforge.net>
* db_operations.php, libraries/Table.class.php: bug #1567316, * db_operations.php, libraries/Table.class.php: bug #1567316,
renaming a db containing a view renaming a db containing a view

27
libraries/common.lib.php
View File

@@ -1395,19 +1395,20 @@ if (!defined('PMA_MINIMUM_COMMON')) {
/** /**
* escapes a string to be inserted as string a JavaScript block * escapes a string to be inserted as string a JavaScript block
* enclosed by <![CDATA[ ... ]]> * enclosed by <![CDATA[ ... ]]>
* this requires only to escape ' with \' * this requires only to escape ' with \' and end of script block
* *
* @uses str_replace() * @uses strtr()
* @param string $string the string to be escaped * @param string $string the string to be escaped
* @return string the escaped string * @return string the escaped string
*/ */
function PMA_escapeJsString($string) function PMA_escapeJsString($string)
{ {
$string = str_replace('\\', '\\\\', $string); return strtr($string, array(
$string = str_replace('\'', '\\\'', $string); '\\' => '\\\\',
$string = str_replace("\012", '\n', $string); '\'' => '\\\'',
$string = str_replace("\015", '\r', $string); "\n" => '\n',
return $string; "\r" => '\r',
'</script' => '<\' + \'script'));
} }
/** /**
@@ -1544,7 +1545,15 @@ window.parent.updateTableTitle('<?php echo $uni_tbl; ?>', '<?php echo PMA_jsForm
if ($cfg['ShowSQL'] == true if ($cfg['ShowSQL'] == true
&& (!empty($GLOBALS['sql_query']) || !empty($GLOBALS['display_query']))) { && (!empty($GLOBALS['sql_query']) || !empty($GLOBALS['display_query']))) {
$local_query = !empty($GLOBALS['display_query']) ? $GLOBALS['display_query'] : (($cfg['SQP']['fmtType'] == 'none' && isset($GLOBALS['unparsed_sql']) && $GLOBALS['unparsed_sql'] != '') ? $GLOBALS['unparsed_sql'] : $GLOBALS['sql_query']); if (!empty($GLOBALS['display_query'])) {
$local_query = $GLOBALS['display_query'];
} else {
if ($cfg['SQP']['fmtType'] == 'none' && !empty($GLOBALS['unparsed_sql'])) {
$local_query = $GLOBALS['unparsed_sql'];
} else {
$local_query = $GLOBALS['sql_query'];
}
}
// Basic url query part // Basic url query part
$url_qpart = '?' . PMA_generate_common_url(isset($GLOBALS['db']) ? $GLOBALS['db'] : '', isset($GLOBALS['table']) ? $GLOBALS['table'] : ''); $url_qpart = '?' . PMA_generate_common_url(isset($GLOBALS['db']) ? $GLOBALS['db'] : '', isset($GLOBALS['table']) ? $GLOBALS['table'] : '');
@@ -1563,7 +1572,7 @@ window.parent.updateTableTitle('<?php echo $uni_tbl; ?>', '<?php echo PMA_jsForm
/* SQL-Parser-Analyzer */ /* SQL-Parser-Analyzer */
$query_base = preg_replace("@((\015\012)|(\015)|(\012))+@", $new_line, $query_base); $query_base = preg_replace("@((\015\012)|(\015)|(\012))+@", $new_line, $query_base);
} else { } else {
$query_base = $local_query; $query_base = htmlspecialchars($local_query);
} }
// Parse SQL if needed // Parse SQL if needed