bug #2893221 [core] Statement may not be safe to log in statement format
This commit is contained in:
Marc Delisle
@@ -1911,7 +1911,7 @@ function PMA_checkParameters($params, $die = true, $request = true)
|
||||
*
|
||||
* @access public
|
||||
* @author Michal Cihar (michal@cihar.com) and others...
|
||||
* @return string calculated condition
|
||||
* @return array the calculated condition and whether condition is unique
|
||||
*/
|
||||
function PMA_getUniqueCondition($handle, $fields_cnt, $fields_meta, $row, $force_unique=false)
|
||||
{
|
||||
@@ -2009,15 +2009,19 @@ function PMA_getUniqueCondition($handle, $fields_cnt, $fields_meta, $row, $force
|
||||
// Correction University of Virginia 19991216:
|
||||
// prefer primary or unique keys for condition,
|
||||
// but use conjunction of all values if no primary key
|
||||
$clause_is_unique = true;
|
||||
if ($primary_key) {
|
||||
$preferred_condition = $primary_key;
|
||||
} elseif ($unique_key) {
|
||||
$preferred_condition = $unique_key;
|
||||
} elseif (! $force_unique) {
|
||||
$preferred_condition = $nonprimary_condition;
|
||||
$clause_is_unique = false;
|
||||
}
|
||||
|
||||
return trim(preg_replace('|\s?AND$|', '', $preferred_condition));
|
||||
$where_clause = trim(preg_replace('|\s?AND$|', '', $preferred_condition));
|
||||
return(array($where_clause, $clause_is_unique));
|
||||
|
||||
} // end function
|
||||
|
||||
/**
|
||||
|
||||
@@ -947,7 +947,7 @@ function PMA_displayTableHeaders(&$is_display, &$fields_meta, $fields_cnt = 0, $
|
||||
* @param array the list of relations
|
||||
* @param array the analyzed query
|
||||
*
|
||||
* @return boolean always true
|
||||
* @return boolean $clause_is_unique
|
||||
*
|
||||
* @global string $db the database name
|
||||
* @global string $table the table name
|
||||
@@ -1047,14 +1047,14 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
|
||||
|
||||
// 1. Prepares the row (gets primary keys to use)
|
||||
// 1.1 Results from a "SELECT" statement -> builds the
|
||||
// "primary" key to use in links
|
||||
// WHERE clause to use in links (a unique key if possible)
|
||||
/**
|
||||
* @todo $unique_condition could be empty, for example a table
|
||||
* @todo $where_clause could be empty, for example a table
|
||||
* with only one field and it's a BLOB; in this case,
|
||||
* avoid to display the delete and edit links
|
||||
*/
|
||||
$unique_condition = PMA_getUniqueCondition($dt_result, $fields_cnt, $fields_meta, $row);
|
||||
$unique_condition_html = urlencode($unique_condition);
|
||||
list($where_clause, $clause_is_unique) = PMA_getUniqueCondition($dt_result, $fields_cnt, $fields_meta, $row);
|
||||
$where_clause_html = urlencode($where_clause);
|
||||
|
||||
// 1.2 Defines the URLs for the modify/delete link(s)
|
||||
|
||||
@@ -1070,11 +1070,12 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
|
||||
// 1.2.1 Modify link(s)
|
||||
if ($is_display['edit_lnk'] == 'ur') { // update row case
|
||||
$_url_params = array(
|
||||
'db' => $db,
|
||||
'table' => $table,
|
||||
'primary_key' => $unique_condition,
|
||||
'sql_query' => $url_sql_query,
|
||||
'goto' => 'sql.php',
|
||||
'db' => $db,
|
||||
'table' => $table,
|
||||
'primary_key' => $where_clause,
|
||||
'clause_is_unique' => $clause_is_unique,
|
||||
'sql_query' => $url_sql_query,
|
||||
'goto' => 'sql.php',
|
||||
);
|
||||
$edit_url = 'tbl_change.php' . PMA_generate_common_url($_url_params);
|
||||
|
||||
@@ -1112,7 +1113,7 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
|
||||
$lnk_goto = 'sql.php' . PMA_generate_common_url($_url_params, 'text');
|
||||
|
||||
$del_query = 'DELETE FROM ' . PMA_backquote($db) . '.' . PMA_backquote($table)
|
||||
. ' WHERE ' . $unique_condition . ' LIMIT 1';
|
||||
. ' WHERE ' . $where_clause . ($clause_is_unique ? '' : ' LIMIT 1');
|
||||
|
||||
$_url_params = array(
|
||||
'db' => $db,
|
||||
@@ -1124,8 +1125,8 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
|
||||
$del_url = 'sql.php' . PMA_generate_common_url($_url_params);
|
||||
|
||||
$js_conf = 'DELETE FROM ' . PMA_jsFormat($db) . '.' . PMA_jsFormat($table)
|
||||
. ' WHERE ' . PMA_jsFormat($unique_condition, false)
|
||||
. ' LIMIT 1';
|
||||
. ' WHERE ' . PMA_jsFormat($where_clause, false)
|
||||
. ($clause_is_unique ? '' : ' LIMIT 1');
|
||||
$del_str = PMA_getIcon('b_drop.png', $GLOBALS['strDelete'], true);
|
||||
} elseif ($is_display['del_lnk'] == 'kp') { // kill process case
|
||||
|
||||
@@ -1209,7 +1210,7 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
|
||||
$_url_params = array(
|
||||
'db' => $db,
|
||||
'table' => $table,
|
||||
'primary_key' => $unique_condition,
|
||||
'primary_key' => $where_clause,
|
||||
'transform_key' => $meta->name,
|
||||
);
|
||||
|
||||
@@ -1408,7 +1409,7 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
|
||||
|
||||
if (!empty($del_url) && $is_display['del_lnk'] != 'kp') {
|
||||
$vertical_display['row_delete'][$row_no] .= ' <td align="center" class="' . $class . '" ' . $column_style_vertical . '>' . "\n"
|
||||
. ' <input type="checkbox" id="id_rows_to_delete' . $row_no . '[%_PMA_CHECKBOX_DIR_%]" name="rows_to_delete[' . $unique_condition_html . ']"'
|
||||
. ' <input type="checkbox" id="id_rows_to_delete' . $row_no . '[%_PMA_CHECKBOX_DIR_%]" name="rows_to_delete[' . $where_clause_html . ']"'
|
||||
. ' onclick="' . $column_marker_vertical . 'copyCheckboxesRange(\'rowsDeleteForm\', \'id_rows_to_delete' . $row_no . '\',\'[%_PMA_CHECKBOX_DIR_%]\');"'
|
||||
. ' value="' . htmlspecialchars($del_query) . '" ' . (isset($GLOBALS['checkall']) ? 'checked="checked"' : '') . ' />' . "\n"
|
||||
. ' </td>' . "\n";
|
||||
@@ -1437,7 +1438,9 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {
|
||||
$row_no++;
|
||||
} // end while
|
||||
|
||||
return true;
|
||||
// this is needed by PMA_displayTable() to generate the proper param
|
||||
// in the multi-edit and multi-delete form
|
||||
return $clause_is_unique;
|
||||
} // end of the 'PMA_displayTableBody()' function
|
||||
|
||||
|
||||
@@ -1963,7 +1966,7 @@ function PMA_displayTable(&$dt_result, &$the_disp_mode, $analyzed_sql)
|
||||
PMA_displayTableHeaders($is_display, $fields_meta, $fields_cnt, $analyzed_sql, $sort_expression, $sort_expression_nodirection, $sort_direction);
|
||||
$url_query = '';
|
||||
echo '<tbody>' . "\n";
|
||||
PMA_displayTableBody($dt_result, $is_display, $map, $analyzed_sql);
|
||||
$clause_is_unique = PMA_displayTableBody($dt_result, $is_display, $map, $analyzed_sql);
|
||||
// vertical output case
|
||||
if ($_SESSION['userconf']['disp_direction'] == 'vertical') {
|
||||
PMA_displayVerticalTable();
|
||||
@@ -1974,7 +1977,7 @@ function PMA_displayTable(&$dt_result, &$the_disp_mode, $analyzed_sql)
|
||||
</table>
|
||||
|
||||
<?php
|
||||
// 4. ----- Displays the link for multi-fields delete
|
||||
// 4. ----- Displays the link for multi-fields edit and delete
|
||||
|
||||
if ($is_display['del_lnk'] == 'dr' && $is_display['del_lnk'] != 'kp') {
|
||||
|
||||
@@ -2025,6 +2028,10 @@ function PMA_displayTable(&$dt_result, &$the_disp_mode, $analyzed_sql)
|
||||
.' value="' . htmlspecialchars($sql_query) . '" />' . "\n";
|
||||
echo '<input type="hidden" name="url_query"'
|
||||
.' value="' . $GLOBALS['url_query'] . '" />' . "\n";
|
||||
|
||||
echo '<input type="hidden" name="clause_is_unique"'
|
||||
.' value="' . $clause_is_unique . '" />' . "\n";
|
||||
|
||||
echo '</form>' . "\n";
|
||||
}
|
||||
|
||||
|
||||
@@ -21,7 +21,7 @@ if ($doWriteModifyAt == 'left') {
|
||||
|
||||
if (!empty($del_url) && $is_display['del_lnk'] != 'kp') {
|
||||
echo ' <td align="center">' . "\n"
|
||||
. ' <input type="checkbox" id="id_rows_to_delete' . $row_no . '" name="rows_to_delete[' . $unique_condition_html . ']"'
|
||||
. ' <input type="checkbox" id="id_rows_to_delete' . $row_no . '" name="rows_to_delete[' . $where_clause_html . ']"'
|
||||
. ' onclick="copyCheckboxesRange(\'rowsDeleteForm\', \'id_rows_to_delete' . $row_no . '\',\'l\');"'
|
||||
. ' value="' . htmlspecialchars($del_query) . '" ' . (isset($GLOBALS['checkall']) ? 'checked="checked"' : '') . ' />' . "\n"
|
||||
. ' </td>' . "\n";
|
||||
@@ -51,7 +51,7 @@ if ($doWriteModifyAt == 'left') {
|
||||
}
|
||||
if (!empty($del_url) && $is_display['del_lnk'] != 'kp') {
|
||||
echo ' <td align="center">' . "\n"
|
||||
. ' <input type="checkbox" id="id_rows_to_delete' . $row_no . 'r" name="rows_to_delete[' . $unique_condition_html . ']"'
|
||||
. ' <input type="checkbox" id="id_rows_to_delete' . $row_no . 'r" name="rows_to_delete[' . $where_clause_html . ']"'
|
||||
. ' onclick="copyCheckboxesRange(\'rowsDeleteForm\', \'id_rows_to_delete' . $row_no . '\',\'r\');"'
|
||||
. ' value="' . htmlspecialchars($del_query) . '" ' . (isset($GLOBALS['checkall']) ? 'checked="checked"' : '') . ' />' . "\n"
|
||||
. ' </td>' . "\n";
|
||||
|
||||
@@ -1004,7 +1004,9 @@ function PMA_exportData($db, $table, $crlf, $error_url, $sql_query)
|
||||
$insert_line .= $field_set[$i] . ' = ' . $values[$i];
|
||||
}
|
||||
|
||||
$insert_line .= ' WHERE ' . PMA_getUniqueCondition($result, $fields_cnt, $fields_meta, $row);
|
||||
list($tmp_unique_condition, $tmp_clause_is_unique) = PMA_getUniqueCondition($result, $fields_cnt, $fields_meta, $row);
|
||||
$insert_line .= ' WHERE ' . $tmp_unique_condition;
|
||||
unset($tmp_unique_condition, $tmp_clause_is_unique);
|
||||
|
||||
} else {
|
||||
|
||||
|
||||
Reference in New Issue
Block a user