diff --git a/ChangeLog b/ChangeLog index 31661fe96..8d6127388 100755 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,10 @@ phpMyAdmin - Changelog $Id$ $Source$ +2002-05-05 Loïc Chapeaux + * tbl_relation.php3; libraries/display_tbl.lib.php3: added backquotes and + slashed some values. + 2002-05-06 Marc Delisle * lang/romanian.inc.php3 updates thanks to Valics Lehel * lang/*, tbl_relation.php3, Documentation.html, diff --git a/libraries/display_tbl.lib.php3 b/libraries/display_tbl.lib.php3 index 8904d8712..4dce8ea7a 100644 --- a/libraries/display_tbl.lib.php3 +++ b/libraries/display_tbl.lib.php3 @@ -923,31 +923,30 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')){ } else if ($row[$pointer] != '') { $vertical_display['data'][$row_no][$i] = ' '; if (isset($map[$meta->name])) { - // Field to display from the foreign table? + // Field to display from the foreign table? if (!empty($map[$meta->name][2])) { - $dispsql = 'SELECT ' . $map[$meta->name][2] - . ' FROM ' . PMA_backquote($map[$meta->name][0]) - . ' WHERE ' . $map[$meta->name][1] - . ' = ' . $row[$pointer]; - $dispresult = mysql_query($dispsql); - if (mysql_num_rows($dispresult) > 0) { - $disprow = mysql_fetch_row($dispresult); - $dispval = $disprow[0]; - } - else { - $dispval = $GLOBALS['strLinkNotFound']; - } + $dispsql = 'SELECT ' . PMA_backquote($map[$meta->name][2]) + . ' FROM ' . PMA_backquote($map[$meta->name][0]) + . ' WHERE ' . PMA_backquote($map[$meta->name][1]) + . ' = ' . $row[$pointer]; + $dispresult = mysql_query($dispsql); + if ($dispresult && mysql_num_rows($dispresult) > 0) { + $dispval = mysql_result($dispresult, 0); + } + else { + $dispval = $GLOBALS['strLinkNotFound']; + } } else { - $dispval = ''; - } - $title = (!empty($dispval))? ' title="' . $dispval . '"': ''; + $dispval = ''; + } // end if... else... + $title = (!empty($dispval))? ' title="' . htmlspecialchars($dispval) . '"' : ''; $vertical_display['data'][$row_no][$i] .= '' + . '&sql_query=' . urlencode('SELECT * FROM ' . PMA_backquote($map[$meta->name][0]) . ' WHERE ' . PMA_backquote($map[$meta->name][1]) . ' = ' . $row[$pointer]) . '"' . $title . '>' . $row[$pointer] . ''; } else { $vertical_display['data'][$row_no][$i] .= $row[$pointer]; @@ -1013,33 +1012,32 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')){ $row[$pointer] = ereg_replace("((\015\012)|(\015)|(\012))", '
', $row[$pointer]); } $vertical_display['data'][$row_no][$i] = ' '; - if (isset($map[$meta->name])) { - // Field to display from the foreign table? + if (isset($map[$meta->name])) { + // Field to display from the foreign table? if (!empty($map[$meta->name][2])) { - $dispsql = 'SELECT ' . $map[$meta->name][2] - . ' FROM ' . PMA_backquote($map[$meta->name][0]) - . ' WHERE ' . $map[$meta->name][1] - . ' = \'' . $row[$pointer] . '\''; - $dispresult = @mysql_query($dispsql); - if (mysql_num_rows($dispresult) > 0) { - $disprow = mysql_fetch_row($dispresult); - $dispval = $disprow[0]; - } - else { - $dispval = $GLOBALS['strLinkNotFound']; - } + $dispsql = 'SELECT ' . PMA_backquote($map[$meta->name][2]) + . ' FROM ' . PMA_backquote($map[$meta->name][0]) + . ' WHERE ' . PMA_backquote($map[$meta->name][1]) + . ' = \'' . PMA_sqlAddslashes($row[$pointer]) . '\''; + $dispresult = @mysql_query($dispsql); + if ($dispresult && mysql_num_rows($dispresult) > 0) { + $dispval = mysql_result($dispresult, 0); + } + else { + $dispval = $GLOBALS['strLinkNotFound']; + } } else { $dispval = ''; } - $title = (!empty($dispval))? ' title="' . $dispval . '"': ''; + $title = (!empty($dispval))? ' title="' . htmlspecialchars($dispval) . '"' : ''; $vertical_display['data'][$row_no][$i] .= '' + . '&sql_query=' . urlencode('SELECT * FROM ' . PMA_backquote($map[$meta->name][0]) . ' WHERE ' . PMA_backquote($map[$meta->name][1]) . ' = \'' . PMA_sqlAddslashes($relation_id) . '\'') . '"' . $title . '>' . $row[$pointer] . ''; } else { $vertical_display['data'][$row_no][$i] .= $row[$pointer]; @@ -1356,15 +1354,12 @@ if (!defined('PMA_DISPLAY_TBL_LIB_INCLUDED')){ if (!empty($cfg['Server']['relation'])) { // find tables -// $tabs = '(\'' . join('\',\'', spliti('`? *((on [^,]+)?,|(NATURAL )?(inner|left|right)( outer)? join) *`?', -// eregi_replace('^.*FROM +`?|`? *(on [^,]+)?(WHERE.*)?$', '', $sql_query))) . '\')'; $pattern = '`?[[:space:]]+(((ON|on)[[:space:]]+[^,]+)?,|((NATURAL|natural)[[:space:]]+)?(INNER|inner|LEFT|left|RIGHT|right)([[:space:]]+(OUTER|outer))?[[:space:]]+(JOIN|join))[[:space:]]*`?'; $target = eregi_replace('^.*[[:space:]]+FROM[[:space:]]+`?|`?[[:space:]]*(ON[[:space:]]+[^,]+)?(WHERE[[:space:]]+.*)?$', '', $sql_query); $tabs = '(\'' . join('\',\'', split($pattern, $target)) . '\')'; - $local_query = 'SELECT master_field, foreign_table, foreign_field,' - . 'foreign_display_field' - . ' FROM ' . $cfg['Server']['relation'] + $local_query = 'SELECT master_field, foreign_table, foreign_field, foreign_display_field' + . ' FROM ' . PMA_backquote($cfg['Server']['relation']) . ' WHERE master_table IN ' . $tabs; $result = @mysql_query($local_query); if ($result) { diff --git a/tbl_relation.php3 b/tbl_relation.php3 index 754f8e36b..2d27b8939 100644 --- a/tbl_relation.php3 +++ b/tbl_relation.php3 @@ -17,7 +17,7 @@ require('./tbl_properties_table_info.php3'); if (!empty($cfg['Server']['relation']) && isset($submit_rel) && $submit_rel == 'true') { // first check if there is a entry allready - $upd_query = 'SELECT master_field, foreign_table, foreign_field FROM ' . $cfg['Server']['relation'] + $upd_query = 'SELECT master_field, foreign_table, foreign_field FROM ' . PMA_backquote($cfg['Server']['relation']) . ' WHERE master_table = \'' . PMA_sqlAddslashes($table) . '\''; $upd_rs = mysql_query($upd_query) or PMA_mysqlDie('', $upd_query, '', $err_url_0); @@ -29,7 +29,7 @@ if (!empty($cfg['Server']['relation']) if ($value != 'nix') { if (!isset($existrel[$key])) { $for = explode('.', $destination[$key]); - $upd_query = 'INSERT INTO ' . $cfg['Server']['relation'] + $upd_query = 'INSERT INTO ' . PMA_backquote($cfg['Server']['relation']) . '(master_table, master_field, foreign_table, foreign_field)' . ' values(' . '\'' . PMA_sqlAddslashes($table) . '\', ' @@ -39,14 +39,14 @@ if (!empty($cfg['Server']['relation']) $upd_rs = mysql_query($upd_query) or PMA_mysqlDie('', $upd_query, '', $err_url_0); } else if ($existrel[$key] != $value) { $for = explode('.', $destination[$key]); - $upd_query = 'UPDATE ' . $cfg['Server']['relation'] . ' SET' + $upd_query = 'UPDATE ' . PMA_backquote($cfg['Server']['relation']) . ' SET' . ' foreign_table = \'' . PMA_sqlAddslashes($for[0]) . '\', foreign_field = \'' . PMA_sqlAddslashes($for[1]) . '\' ' . ' WHERE master_table = \'' . PMA_sqlAddslashes($table) . '\' AND master_field = \'' . PMA_sqlAddslashes($key) . '\''; $upd_rs = mysql_query($upd_query) or PMA_mysqlDie('', $upd_query, '', $err_url_0); } // end if... else.... } else if (isset($existrel[$key])) { $for = explode('.', $destination[$key]); - $upd_query = 'DELETE FROM ' . $cfg['Server']['relation'] + $upd_query = 'DELETE FROM ' . PMA_backquote($cfg['Server']['relation']) . ' WHERE master_table = \'' . PMA_sqlAddslashes($table) . '\' AND master_field = \'' . PMA_sqlAddslashes($key) . '\''; $upd_rs = mysql_query($upd_query) or PMA_mysqlDie('', $upd_query, '', $err_url_0); } // end if... else.... @@ -93,7 +93,7 @@ if ($cfg['Server']['relation']) { // create Array of Relations (Mike Beck) if ($rel_work) { $rel_query = 'SELECT master_field, concat(foreign_table, \'.\', foreign_field) AS rel' - . ' FROM ' . $cfg['Server']['relation'] + . ' FROM ' . PMA_backquote($cfg['Server']['relation']) . ' WHERE master_table = \'' . PMA_sqlAddslashes($table) . '\''; $relations = @mysql_query($rel_query) or PMA_mysqlDie('', $rel_query, '', $err_url);