/** * Update the privileges and return the success or error message * * @param string $username username * @param string $hostname host name * @param string $tablename table name * @param string $dbname database name * * @return PMA_message success message or error message for update */ function PMA_updatePrivileges($username, $hostname, $tablename, $dbname) { $db_and_table = PMA_wildcardEscapeForGrant($dbname, $tablename); $sql_query0 = 'REVOKE ALL PRIVILEGES ON ' . $db_and_table . ' FROM \'' . PMA_Util::sqlAddSlashes($username) . '\'@\'' . PMA_Util::sqlAddSlashes($hostname) . '\';'; if (!isset($_POST['Grant_priv']) || $_POST['Grant_priv'] != 'Y') { $sql_query1 = 'REVOKE GRANT OPTION ON ' . $db_and_table . ' FROM \'' . PMA_Util::sqlAddSlashes($username) . '\'@\'' . PMA_Util::sqlAddSlashes($hostname) . '\';'; } else { $sql_query1 = ''; } // Should not do a GRANT USAGE for a table-specific privilege, it // causes problems later (cannot revoke it) if (!(mb_strlen($tablename) && 'USAGE' == implode('', PMA_extractPrivInfo()))) { $sql_query2 = 'GRANT ' . join(', ', PMA_extractPrivInfo()) . ' ON ' . $db_and_table . ' TO \'' . PMA_Util::sqlAddSlashes($username) . '\'@\'' . PMA_Util::sqlAddSlashes($hostname) . '\''; if (!mb_strlen($dbname)) { // add REQUIRE clause $sql_query2 .= PMA_getRequireClause(); } if (isset($_POST['Grant_priv']) && $_POST['Grant_priv'] == 'Y' || !mb_strlen($dbname) && (isset($_POST['max_questions']) || isset($_POST['max_connections']) || isset($_POST['max_updates']) || isset($_POST['max_user_connections']))) { $sql_query2 .= PMA_getWithClauseForAddUserAndUpdatePrivs(); } $sql_query2 .= ';'; } if (!$GLOBALS['dbi']->tryQuery($sql_query0)) { // This might fail when the executing user does not have // ALL PRIVILEGES himself. // See https://sourceforge.net/p/phpmyadmin/bugs/3270/ $sql_query0 = ''; } if (!empty($sql_query1) && !$GLOBALS['dbi']->tryQuery($sql_query1)) { // this one may fail, too... $sql_query1 = ''; } if (!empty($sql_query2)) { $GLOBALS['dbi']->query($sql_query2); } else { $sql_query2 = ''; } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success(__('You have updated the privileges for %s.')); $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); return array($sql_query, $message); }
/** * Test for PMA_wildcardEscapeForGrant * * @return void */ public function testPMAWildcardEscapeForGrant() { $dbname = ''; $tablename = ''; $db_and_table = PMA_wildcardEscapeForGrant($dbname, $tablename); $this->assertEquals('*.*', $db_and_table); $dbname = 'dbname'; $tablename = ''; $db_and_table = PMA_wildcardEscapeForGrant($dbname, $tablename); $this->assertEquals('`dbname`.*', $db_and_table); $dbname = 'dbname'; $tablename = 'tablename'; $db_and_table = PMA_wildcardEscapeForGrant($dbname, $tablename); $this->assertEquals('`dbname`.`tablename`', $db_and_table); }
if (isset($sql_query2)) { PMA_DBI_query($sql_query2); } else { $sql_query2 = ''; } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success(__('You have updated the privileges for %s.')); $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); } /** * Revokes Privileges */ if (isset($_REQUEST['revokeall'])) { $db_and_table = PMA_wildcardEscapeForGrant($dbname, isset($tablename) ? $tablename : ''); $sql_query0 = 'REVOKE ALL PRIVILEGES ON ' . $db_and_table . ' FROM \'' . PMA_sqlAddSlashes($username) . '\'@\'' . PMA_sqlAddSlashes($hostname) . '\';'; $sql_query1 = 'REVOKE GRANT OPTION ON ' . $db_and_table . ' FROM \'' . PMA_sqlAddSlashes($username) . '\'@\'' . PMA_sqlAddSlashes($hostname) . '\';'; PMA_DBI_query($sql_query0); if (! PMA_DBI_try_query($sql_query1)) { // this one may fail, too... $sql_query1 = ''; } $sql_query = $sql_query0 . ' ' . $sql_query1; $message = PMA_Message::success(__('You have revoked the privileges for %s')); $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); if (! isset($tablename)) {
/** * Update the privileges and return the success or error message * * @param string $dbname database name * @param string $tablename table name * @param string $username username * @param string $hostname host name * * @return PMA_message success message or error message for update */ function PMA_updatePrivileges($username, $hostname, $tablename, $dbname) { $common_functions = PMA_CommonFunctions::getInstance(); $db_and_table = PMA_wildcardEscapeForGrant($dbname, $tablename); $sql_query0 = 'REVOKE ALL PRIVILEGES ON ' . $db_and_table . ' FROM \'' . $common_functions->sqlAddSlashes($username) . '\'@\'' . $common_functions->sqlAddSlashes($hostname) . '\';'; if (!isset($_POST['Grant_priv']) || $_POST['Grant_priv'] != 'Y') { $sql_query1 = 'REVOKE GRANT OPTION ON ' . $db_and_table . ' FROM \'' . $common_functions->sqlAddSlashes($username) . '\'@\'' . $common_functions->sqlAddSlashes($hostname) . '\';'; } else { $sql_query1 = ''; } // Should not do a GRANT USAGE for a table-specific privilege, it // causes problems later (cannot revoke it) if (!(strlen($tablename) && 'USAGE' == implode('', PMA_extractPrivInfo()))) { $sql_query2 = 'GRANT ' . join(', ', PMA_extractPrivInfo()) . ' ON ' . $db_and_table . ' TO \'' . $common_functions->sqlAddSlashes($username) . '\'@\'' . $common_functions->sqlAddSlashes($hostname) . '\''; if (isset($_POST['Grant_priv']) && $_POST['Grant_priv'] == 'Y' || !strlen($dbname) && (isset($_POST['max_questions']) || isset($_POST['max_connections']) || isset($_POST['max_updates']) || isset($_POST['max_user_connections']))) { $sql_query2 .= PMA_getWithClauseForAddUserAndUpdatePrivs(); } $sql_query2 .= ';'; } if (!PMA_DBI_try_query($sql_query0)) { // This might fail when the executing user does not have ALL PRIVILEGES himself. // See https://sourceforge.net/tracker/index.php?func=detail&aid=3285929&group_id=23067&atid=377408 $sql_query0 = ''; } if (isset($sql_query1) && !PMA_DBI_try_query($sql_query1)) { // this one may fail, too... $sql_query1 = ''; } if (isset($sql_query2)) { PMA_DBI_query($sql_query2); } else { $sql_query2 = ''; } $sql_query = $sql_query0 . ' ' . $sql_query1 . ' ' . $sql_query2; $message = PMA_Message::success(__('You have updated the privileges for %s.')); $message->addParam('\'' . htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) . '\''); return array($sql_query, $message); }