/** * update Data for information: Adds a user * * @param string $dbname db name * @param string $username user name * @param string $hostname host name * @param string $password password * @param bool $is_menuwork is_menuwork set? * * @return array */ function PMA_addUser($dbname, $username, $hostname, $password, $is_menuwork) { $_add_user_error = false; $message = null; $queries = null; $queries_for_display = null; $sql_query = null; if (!isset($_REQUEST['adduser_submit']) && !isset($_REQUEST['change_copy'])) { return array($message, $queries, $queries_for_display, $sql_query, $_add_user_error); } if (!isset($_REQUEST['adduser_submit']) && !isset($_REQUEST['change_copy'])) { return array($message, $queries, $queries_for_display, $sql_query, $_add_user_error); } $sql_query = ''; if ($_POST['pred_username'] == 'any') { $username = ''; } switch ($_POST['pred_hostname']) { case 'any': $hostname = '%'; break; case 'localhost': $hostname = 'localhost'; break; case 'hosttable': $hostname = ''; break; case 'thishost': $_user_name = $GLOBALS['dbi']->fetchValue('SELECT USER()'); $hostname = mb_substr($_user_name, mb_strrpos($_user_name, '@') + 1); unset($_user_name); break; } $sql = "SELECT '1' FROM `mysql`.`user`" . " WHERE `User` = '" . PMA_Util::sqlAddSlashes($username) . "'" . " AND `Host` = '" . PMA_Util::sqlAddSlashes($hostname) . "';"; if ($GLOBALS['dbi']->fetchValue($sql) == 1) { $message = PMA_Message::error(__('The user %s already exists!')); $message->addParam('[em]\'' . $username . '\'@\'' . $hostname . '\'[/em]'); $_REQUEST['adduser'] = true; $_add_user_error = true; return array($message, $queries, $queries_for_display, $sql_query, $_add_user_error); } list($create_user_real, $create_user_show, $real_sql_query, $sql_query, $password_set_real, $password_set_show) = PMA_getSqlQueriesForDisplayAndAddUser($username, $hostname, isset($password) ? $password : ''); if (empty($_REQUEST['change_copy'])) { $_error = false; if (isset($create_user_real)) { if (!$GLOBALS['dbi']->tryQuery($create_user_real)) { $_error = true; } if (isset($password_set_real) && !empty($password_set_real) && isset($_REQUEST['authentication_plugin'])) { PMA_setProperPasswordHashing($_REQUEST['authentication_plugin']); if ($GLOBALS['dbi']->tryQuery($password_set_real)) { $sql_query .= $password_set_show; } } $sql_query = $create_user_show . $sql_query; } list($sql_query, $message) = PMA_addUserAndCreateDatabase($_error, $real_sql_query, $sql_query, $username, $hostname, isset($dbname) ? $dbname : null); if (!empty($_REQUEST['userGroup']) && $is_menuwork) { PMA_setUserGroup($GLOBALS['username'], $_REQUEST['userGroup']); } return array($message, $queries, $queries_for_display, $sql_query, $_add_user_error); } if (isset($create_user_real)) { $queries[] = $create_user_real; } $queries[] = $real_sql_query; if (isset($password_set_real) && !empty($password_set_real) && isset($_REQUEST['authentication_plugin'])) { PMA_setProperPasswordHashing($_REQUEST['authentication_plugin']); $queries[] = $password_set_real; } // we put the query containing the hidden password in // $queries_for_display, at the same position occupied // by the real query in $queries $tmp_count = count($queries); if (isset($create_user_real)) { $queries_for_display[$tmp_count - 2] = $create_user_show; } if (isset($password_set_real) && !empty($password_set_real)) { $queries_for_display[$tmp_count - 3] = $create_user_show; $queries_for_display[$tmp_count - 2] = $sql_query; $queries_for_display[$tmp_count - 1] = $password_set_show; } else { $queries_for_display[$tmp_count - 1] = $sql_query; } return array($message, $queries, $queries_for_display, $sql_query, $_add_user_error); }
/** * Get SQL queries for Display and Add user * * @param string $username username * @param string $hostname host name * @param string $password password * * @return array ($create_user_real, $create_user_show,$real_sql_query, $sql_query * $password_set_real, $password_set_show) */ function PMA_getSqlQueriesForDisplayAndAddUser($username, $hostname, $password) { $slashedUsername = Util::sqlAddSlashes($username); $slashedHostname = Util::sqlAddSlashes($hostname); $slashedPassword = Util::sqlAddSlashes($password); $serverType = Util::getServerType(); $create_user_stmt = sprintf('CREATE USER \'%s\'@\'%s\'', $slashedUsername, $slashedHostname); // See https://github.com/phpmyadmin/phpmyadmin/pull/11560#issuecomment-147158219 // for details regarding details of syntax usage for various versions // 'IDENTIFIED WITH auth_plugin' // is supported by MySQL 5.5.7+ if (($serverType == 'MySQL' || $serverType == 'Percona Server') && PMA_MYSQL_INT_VERSION >= 50507 && isset($_REQUEST['authentication_plugin'])) { $create_user_stmt .= ' IDENTIFIED WITH ' . $_REQUEST['authentication_plugin']; } // 'IDENTIFIED VIA auth_plugin' // is supported by MariaDB 5.2+ if ($serverType == 'MariaDB' && PMA_MYSQL_INT_VERSION >= 50200 && isset($_REQUEST['authentication_plugin'])) { $create_user_stmt .= ' IDENTIFIED VIA ' . $_REQUEST['authentication_plugin']; } $create_user_real = $create_user_show = $create_user_stmt; $password_set_stmt = 'SET PASSWORD FOR \'%s\'@\'%s\' = \'%s\''; $password_set_show = sprintf($password_set_stmt, $slashedUsername, $slashedHostname, '***'); $sql_query_stmt = sprintf('GRANT %s ON *.* TO \'%s\'@\'%s\'', join(', ', PMA_extractPrivInfo()), $slashedUsername, $slashedHostname); $real_sql_query = $sql_query = $sql_query_stmt; // Set the proper hashing method if (isset($_REQUEST['authentication_plugin'])) { PMA_setProperPasswordHashing($_REQUEST['authentication_plugin']); } // Use 'CREATE USER ... WITH ... AS ..' syntax for // newer MySQL versions // and 'CREATE USER ... USING .. VIA ..' syntax for // newer MariaDB versions if (($serverType == 'MySQL' || $serverType == 'Percona Server') && PMA_MYSQL_INT_VERSION >= 50706 || $serverType == 'MariaDB' && PMA_MYSQL_INT_VERSION >= 50200) { $password_set_real = null; // Required for binding '%' with '%s' $create_user_stmt = str_replace('%', '%%', $create_user_stmt); // MariaDB uses 'USING' whereas MySQL uses 'AS' if ($serverType == 'MariaDB') { $create_user_stmt .= ' USING \'%s\''; } else { $create_user_stmt .= ' AS \'%s\''; } if ($_POST['pred_password'] == 'keep') { $create_user_real = sprintf($create_user_stmt, $slashedPassword); $create_user_show = sprintf($create_user_stmt, '***'); } else { if ($_POST['pred_password'] == 'none') { $create_user_real = sprintf($create_user_stmt, null); $create_user_show = sprintf($create_user_stmt, '***'); } else { $hashedPassword = PMA_getHashedPassword($_POST['pma_pw']); $create_user_real = sprintf($create_user_stmt, $hashedPassword); $create_user_show = sprintf($create_user_stmt, '***'); } } } else { // Use 'SET PASSWORD' syntax for pre-5.7.6 MySQL versions // and pre-5.2.0 MariaDB versions if ($_POST['pred_password'] == 'keep') { $password_set_real = sprintf($password_set_stmt, $slashedUsername, $slashedHostname, $slashedPassword); } else { if ($_POST['pred_password'] == 'none') { $password_set_real = sprintf($password_set_stmt, $slashedUsername, $slashedHostname, null); } else { $hashedPassword = PMA_getHashedPassword($_POST['pma_pw']); $password_set_real = sprintf($password_set_stmt, $slashedUsername, $slashedHostname, $hashedPassword); } } } // add REQUIRE clause $require_clause = PMA_getRequireClause(); $real_sql_query .= $require_clause; $sql_query .= $require_clause; if (isset($_POST['Grant_priv']) && $_POST['Grant_priv'] == 'Y' || (isset($_POST['max_questions']) || isset($_POST['max_connections']) || isset($_POST['max_updates']) || isset($_POST['max_user_connections']))) { $with_clause = PMA_getWithClauseForAddUserAndUpdatePrivs(); $real_sql_query .= $with_clause; $sql_query .= $with_clause; } if (isset($create_user_real)) { $create_user_real .= ';'; $create_user_show .= ';'; } $real_sql_query .= ';'; $sql_query .= ';'; // No Global GRANT_OPTION privilege if (!$GLOBALS['is_grantuser']) { $real_sql_query = ''; $sql_query = ''; } // Use 'SET PASSWORD' for pre-5.7.6 MySQL versions // and pre-5.2.0 MariaDB if ($serverType == 'MySQL' && PMA_MYSQL_INT_VERSION >= 50706 || $serverType == 'MariaDB' && PMA_MYSQL_INT_VERSION >= 50200) { $password_set_real = null; $password_set_show = null; } else { $password_set_real .= ";"; $password_set_show .= ";"; } return array($create_user_real, $create_user_show, $real_sql_query, $sql_query, $password_set_real, $password_set_show); }