function userSectionAccess($tableNameWithoutPrefix)
{
// added in v2.16
global $CURRENT_USER;
$tableName = getTableNameWithoutPrefix($tableNameWithoutPrefix);
// get access level
if (@$CURRENT_USER['accessList']['all']['accessLevel'] > 1) {
$accessLevel = $CURRENT_USER['accessList']['all']['accessLevel'];
} elseif (@$CURRENT_USER['accessList'][$tableName]['accessLevel']) {
$accessLevel = @$CURRENT_USER['accessList'][$tableName]['accessLevel'];
} else {
$accessLevel = 0;
}
// accounts menu (special rules)
if ($tableName == 'accounts') {
if (@$CURRENT_USER['isAdmin']) {
$accessLevel = 9;
} elseif ($accessLevel < 9) {
$accessLevel = 0;
}
// accounts menu requires admin or editor access
}
// don't allow viewer-only access unless section allows it
if ($accessLevel == 3 || $accessLevel == 7) {
$schema = loadSchema($tableName);
if (@$schema['_disableView']) {
if ($accessLevel == 7) {
$accessLevel = 6;
} else {
$accessLevel = 0;
}
// drop viewer only access to no access
}
}
//
$accessLevel = applyFilters('userSectionAccess', $accessLevel, $tableName);
return $accessLevel;
}
function _updateMySQL()
{
global $TABLE_PREFIX, $schema;
$escapedTableName = mysql_escape($_REQUEST['tableName']);
// get current column name and type
$oldColumnName = $_REQUEST['fieldname'];
$newColumnName = $_REQUEST['newFieldname'];
$oldColumnType = getMysqlColumnType($_REQUEST['tableName'], $oldColumnName);
$newColumnType = getColumnTypeFor($newColumnName, $_REQUEST['type'], @$_REQUEST['customColumnType']);
// create/alter/remove MySQL columns
$isOldColumn = $oldColumnType;
$isNewColumn = $newColumnType != 'none' && $newColumnType != '';
$doEraseColumn = $isOldColumn && !$isNewColumn;
$doCreateColumn = !$oldColumnType && $isNewColumn;
$doAlterColumn = $isOldColumn && $isNewColumn;
// remove existing index (if any) - always dropping/recreating indexes ensure they match renamed fields, etc
list($oldIndexName, $oldIndexColList) = getIndexNameAndColumnListForField($oldColumnName, $oldColumnType);
$indexExists = (bool) mysql_get_query("SHOW INDEX FROM `{$escapedTableName}` WHERE Key_name = '{$oldIndexName}'");
if ($indexExists) {
mysql_query("DROP INDEX `{$oldIndexName}` ON `{$escapedTableName}`") or die("Error dropping index `{$newIndexName}`:" . htmlencode(mysql_error()));
}
// update table: create, alter, or erase field
if ($doCreateColumn) {
// create field
$query = "ALTER TABLE `" . mysql_escape($_REQUEST['tableName']) . "`\n ADD COLUMN `" . mysql_escape($newColumnName) . "` {$newColumnType}";
$result = mysql_query($query) or die("There was an error creating the MySQL Column, the error was:\n\n" . mysql_error());
} else {
if ($doAlterColumn) {
// change field type
$result = mysql_query("ALTER TABLE `" . mysql_escape($_REQUEST['tableName']) . "`\n CHANGE COLUMN `" . mysql_escape($oldColumnName) . "`\n `" . mysql_escape($newColumnName) . "` {$newColumnType}") or die("There was an error changing the MySQL Column, the error was:\n\n" . mysql_error() . "\n");
} else {
if ($doEraseColumn) {
// erase mysql field
$query = "ALTER TABLE `" . mysql_escape($_REQUEST['tableName']) . "`\n DROP COLUMN `" . mysql_escape($oldColumnName) . "`";
$result = mysql_query($query) or die("There was an error removing the MySQL Column, the error was:\n\n" . mysql_error() . "\n");
}
}
}
// add/re-create index if required
if (@$_REQUEST['indexed']) {
list($newIndexName, $newIndexColList) = getIndexNameAndColumnListForField($newColumnName, $newColumnType);
$result = mysql_query("CREATE INDEX `{$newIndexName}` ON `{$escapedTableName}` {$newIndexColList}") or die("Error creating index `{$newIndexName}`:" . htmlencode(mysql_error()));
}
// update uploads table (rename upload field if it was changed)
$uploadFieldRenamed = $_REQUEST['type'] == 'upload' && $oldColumnName && $oldColumnName != $newColumnName;
if ($uploadFieldRenamed) {
$tableNameWithoutPrefix = getTableNameWithoutPrefix($_REQUEST['tableName']);
$query = "UPDATE `{$TABLE_PREFIX}uploads`";
$query .= " SET fieldName='" . mysql_escape($newColumnName) . "'";
$query .= " WHERE fieldName='" . mysql_escape($oldColumnName) . "' AND";
$query .= " tableName='" . mysql_escape($tableNameWithoutPrefix) . "'";
mysql_query($query) or die("There was an error updating the uploads database:\n\n" . htmlencode(mysql_error()) . "\n");
}
}
/3rdParty/jquery-migrate-1.2.1.min.js"><\/script>')</script>
<script><!--
tablesAndFieldnames = <?php
echo json_encode($tablesAndFieldnames);
?>
;
//--></script>
</head>
<body>
<form method="post" action="?" id="editFieldForm" onsubmit="return false;" autocomplete="off">
<input type="hidden" name="menu" value="database" />
<input type="hidden" name="_defaultAction" value="editTable" />
<input type="hidden" name="tableName" id="tableName" value="<?php
echo htmlencode(getTableNameWithoutPrefix($_REQUEST['tableName']));
?>
" />
<input type="hidden" name="fieldname" id="fieldname" value="<?php
echo htmlencode($_REQUEST['fieldname']);
?>
" />
<input type="hidden" name="order" id="order" value="<?php
echo htmlencode(@$field['order']);
?>
" />
<input type="hidden" name="editField" value="1" />
<input type="hidden" name="save" value="1" />
<input type="hidden" name="saveAndCopy" id="saveAndCopy" value="0" />
<?php
echo security_getHiddenCsrfTokenField();
<?php
if (@$schema['menuType'] != 'link' && @$schema['menuType'] != 'menugroup') {
?>
<div style="float:left">
<input class="button" type="button" name="null" value="<< <?php
echo t('Code Generator');
?>
" onclick="window.location='?menu=_codeGenerator&tableName=<?php
echo urlencode(getTableNameWithoutPrefix(@$_REQUEST['tableName']));
?>
'"/>
<input class="button" type="button" name="null" value="<< <?php
echo t('Editor');
?>
" onclick="window.location='?menu=<?php
echo urlencode(getTableNameWithoutPrefix(@$_REQUEST['tableName']));
?>
'"/>
</div>
<?php
}
?>
<input class="button" type="submit" name="action=listTables" value="<< <?php
echo t('Back');
?>
" />
<input class="button" type="submit" name="saveTableDetails" value="<?php
echo t('Save Details');
?>
" />
function getUploads($tableName, $fieldName, $recordNum)
{
global $TABLE_PREFIX;
$uploads = array();
// error checking
if (!$tableName) {
die(__FUNCTION__ . ": no 'tableName' value specified!");
}
if (!$fieldName) {
die(__FUNCTION__ . ": no 'fieldName' value specified!");
}
if (!$recordNum) {
die(__FUNCTION__ . ": no 'recordNum' value specified!");
}
// get record uploads
$tableNameWithoutPrefix = getTableNameWithoutPrefix($tableName);
$query = " SELECT * FROM `{$TABLE_PREFIX}uploads` ";
$query .= " WHERE tableName = '" . mysql_escape($tableNameWithoutPrefix) . "' AND ";
$query .= " fieldName = '" . mysql_escape($fieldName) . "' AND";
$query .= " recordNum = '" . mysql_escape($recordNum) . "'";
$query .= " ORDER BY `order`, num";
$result = mysql_query($query) or die("MySQL Error: " . htmlencode(mysql_error()) . "\n");
//
$schema = loadSchema($tableName);
while ($upload = mysql_fetch_assoc($result)) {
_addUploadPseudoFields($upload, $schema, $fieldName);
array_push($uploads, $upload);
}
return $uploads;
}
function eraseField()
{
global $TABLE_PREFIX, $schema;
//
security_dieUnlessPostForm();
security_dieUnlessInternalReferer();
security_dieOnInvalidCsrfToken();
//
disableInDemoMode('', 'ajax');
$tableName = $_REQUEST['tableName'];
$fieldname = $_REQUEST['fieldname'];
if (!$tableName) {
die("no tableName specified!\n");
}
if (!$fieldname) {
die("no tableName specified!\n");
}
// erase from schema
unset($schema[$fieldname]);
saveSchema($tableName, $schema);
// erase from mySQL
$columnType = getMysqlColumnType($tableName, $fieldname);
if ($columnType != '') {
$result = mysql_query("ALTER TABLE `" . mysql_escape($tableName) . "`\n DROP COLUMN `" . mysql_escape($fieldname) . "`") or die("There was an error removing the MySQL Column, the error was:\n\n" . htmlencode(mysql_error()) . "\n");
}
// expire uploads (mark files for erasing by blanking out fieldname - they get erased when upload form is submitted)
$tableNameWithoutPrefix = getTableNameWithoutPrefix($tableName);
$query = "UPDATE `{$TABLE_PREFIX}uploads`";
$query .= " SET fieldName = ''";
$query .= " WHERE fieldName = '" . mysql_escape($fieldname) . "' AND";
$query .= " tableName = '" . mysql_escape($tableNameWithoutPrefix) . "'";
mysql_query($query) or die("There was an error erasing old uploads:\n\n" . htmlencode(mysql_error()) . "\n");
// this function is called via ajax. Output is returned as errors via javascript alert. Output nothing on success.
exit;
}
function backupDatabase($filenameOrPath = '', $selectedTable = '')
{
global $TABLE_PREFIX;
$prefixPlaceholder = '#TABLE_PREFIX#_';
set_time_limit(60 * 5);
// v2.51 - allow up to 5 minutes to backup/restore database
session_write_close();
// v2.51 - End the current session and store session data so locked session data doesn't prevent concurrent access to CMS by user while backup in progress
// error checking
if ($selectedTable != '') {
$schemaTables = getSchemaTables();
if (preg_match("/[^\\w\\d\\-\\.]/", $selectedTable)) {
die(__FUNCTION__ . " : \$selectedTable contains invalid chars! " . htmlencode($selectedTable));
}
if (!in_array($selectedTable, $schemaTables)) {
die("Unknown table selected '" . htmlencode($selectedTable) . "'!");
}
}
// open backup file
$hostname = preg_replace('/[^\\w\\d\\-\\.]/', '', @$_SERVER['HTTP_HOST']);
if (!$filenameOrPath) {
$filenameOrPath = "{$hostname}-v{$GLOBALS['APP']['version']}-" . date('Ymd-His');
if ($selectedTable) {
$filenameOrPath .= "-{$selectedTable}";
}
$filenameOrPath .= ".sql.php";
}
$outputFilepath = isAbsPath($filenameOrPath) ? $filenameOrPath : DATA_DIR . "/backups/{$filenameOrPath}";
// v2.60 if only filename provided, use /data/backup/ as the basedir
$fp = @fopen($outputFilepath, 'x');
if (!$fp) {
// file already exists - avoid race condition
session_start();
return false;
}
// create no execute php header
fwrite($fp, "-- <?php die('This is not a program file.'); exit; ?>\n\n");
# prevent file from being executed
// get tablenames to backup
if ($selectedTable) {
$tablenames = array(getTableNameWithPrefix($selectedTable));
} else {
$skippedTables = array('_cron_log', '_error_log', '_outgoing_mail', '_nlb_log');
// don't backup these table names
$skippedTables = applyFilters('backupDatabase_skippedTables', $skippedTables);
// let users skip tables via plugins
$skippedTables = array_map('getTableNameWithPrefix', $skippedTables);
// add table_prefix to all table names (if needed)
$allTables = getMysqlTablesWithPrefix();
$tablenames = array_diff($allTables, $skippedTables);
// remove skipped tables from list
}
// backup database
foreach ($tablenames as $unescapedTablename) {
$escapedTablename = mysql_escape($unescapedTablename);
$tablenameWithFakePrefix = $prefixPlaceholder . getTableNameWithoutPrefix($escapedTablename);
// create table
fwrite($fp, "\n--\n");
fwrite($fp, "-- Table structure for table `{$tablenameWithFakePrefix}`\n");
fwrite($fp, "--\n\n");
fwrite($fp, "DROP TABLE IF EXISTS `{$tablenameWithFakePrefix}`;\n\n");
$result = mysql_query("SHOW CREATE TABLE `{$escapedTablename}`");
list(, $createStatement) = mysql_fetch_row($result) or die("MySQL Error: " . htmlencode(mysql_error()));
$createStatement = str_replace("TABLE `{$TABLE_PREFIX}", "TABLE `{$prefixPlaceholder}", $createStatement);
fwrite($fp, "{$createStatement};\n\n");
if (is_resource($result)) {
mysql_free_result($result);
}
// create rows
fwrite($fp, "\n--\n");
fwrite($fp, "-- Dumping data for table `{$tablenameWithFakePrefix}`\n");
fwrite($fp, "--\n\n");
$result = mysql_query("SELECT * FROM `{$escapedTablename}`") or die("MySQL Error: " . htmlencode(mysql_error()));
while ($row = mysql_fetch_row($result)) {
$values = '';
foreach ($row as $value) {
if (is_null($value)) {
$values .= 'NULL,';
} else {
$values .= '"' . mysql_real_escape_string($value) . '",';
}
}
$values = chop($values, ',');
// remove trailing comma
fwrite($fp, "INSERT INTO `{$tablenameWithFakePrefix}` VALUES({$values});\n");
}
if (is_resource($result)) {
mysql_free_result($result);
}
}
//
fwrite($fp, "\n");
$result = fwrite($fp, "-- Dump completed on " . date('Y-m-d H:i:s O') . "\n\n");
if ($result === false) {
die(__FUNCTION__ . ": Error writing backup file! {$php_errormsg}");
}
fclose($fp) || die(__FUNCTION__ . ": Error closing backup file! {$php_errormsg}");
//
@session_start();
// hide error: E_WARNING: session_start(): Cannot send session cache limiter - headers already sent
return $outputFilepath;
}
