/** * Test for checkParameters * * @return void */ function testCheckParameter() { $GLOBALS['PMA_PHP_SELF'] = PMA_getenv('PHP_SELF'); $GLOBALS['pmaThemePath'] = $_SESSION['PMA_Theme']->getPath(); $GLOBALS['db'] = "dbDatabase"; $GLOBALS['table'] = "tblTable"; $GLOBALS['field'] = "test_field"; $GLOBALS['sql_query'] = "SELECT * FROM tblTable;"; $this->expectOutputString(""); PMA_Util::checkParameters(array('db', 'table', 'field', 'sql_query')); }
/* vim: set expandtab sw=4 ts=4 sts=4: */ /** * Display form for changing/adding table fields/columns. * Included by tbl_addfield.php and tbl_create.php * * @package PhpMyAdmin */ if (!defined('PHPMYADMIN')) { exit; } /** * Check parameters */ require_once './libraries/Util.class.php'; PMA_Util::checkParameters(array('server', 'db', 'table', 'action', 'num_fields')); /** * Initialize to avoid code execution path warnings */ if (!isset($num_fields)) { $num_fields = 0; } if (!isset($mime_map)) { $mime_map = null; } if (!isset($columnMeta)) { $columnMeta = array(); } if (!isset($content_cells)) { $content_cells = array(); }
/* vim: set expandtab sw=4 ts=4 sts=4: */ /** * Common includes for the table level views * * @package PhpMyAdmin */ if (!defined('PHPMYADMIN')) { exit; } /** * Gets some core libraries */ require_once './libraries/bookmark.lib.php'; // Check parameters PMA_Util::checkParameters(array('db', 'table')); $db_is_system_schema = $GLOBALS['dbi']->isSystemSchema($db); /** * Set parameters for links * @deprecated */ $url_query = PMA_URL_getCommon(array('db' => $db, 'table' => $table)); /** * Set parameters for links */ $url_params = array(); $url_params['db'] = $db; $url_params['table'] = $table; /** * Defines the urls to return to in case of error in a sql statement */
/** * Check ajax request to set the column order and visibility */ if (isset($_REQUEST['set_col_prefs']) && $_REQUEST['set_col_prefs'] == true) { PMA_setColumnOrderOrVisibility($table, $db); // script has exited at this point } // Default to browse if no query set and we have table // (needed for browsing from DefaultTabTable) if (empty($sql_query) && strlen($table) && strlen($db)) { $sql_query = PMA_getDefaultSqlQueryForBrowse($db, $table); // set $goto to what will be displayed if query returns 0 rows $goto = ''; } else { // Now we can check the parameters PMA_Util::checkParameters(array('sql_query')); } /** * Parse and analyze the query */ require_once 'libraries/parse_analyze.inc.php'; /** * Check rights in case of DROP DATABASE * * This test may be bypassed if $is_js_confirmed = 1 (already checked with js) * but since a malicious user may pass this variable by url/form, we don't take * into account this case. */ if (PMA_hasNoRightsToDropDatabase($analyzed_sql_results, $cfg['AllowUserDropDatabase'], $is_superuser)) { PMA_Util::mysqlDie(__('"DROP DATABASE" statements are disabled.'), '', '', $err_url); }
/** * Get the HTML for the header of the page in print view if print view is selected. * Otherwise returns null. * * @param string $db current database * @param string $sql_query current sql query * @param int $num_rows the number of rows in result * * @return string $header html for the header */ function PMA_getHtmlForPrintViewHeader($db, $sql_query, $num_rows) { $response = PMA_Response::getInstance(); $header = $response->getHeader(); if (isset($_REQUEST['printview']) && $_REQUEST['printview'] == '1') { PMA_Util::checkParameters(array('db', 'sql_query')); $header->enablePrintView(); if ($GLOBALS['cfg']['Server']['verbose']) { $hostname = $GLOBALS['cfg']['Server']['verbose']; } else { $hostname = $GLOBALS['cfg']['Server']['host']; if (!empty($GLOBALS['cfg']['Server']['port'])) { $hostname .= $GLOBALS['cfg']['Server']['port']; } } $versions = "phpMyAdmin " . PMA_VERSION; $versions .= " / "; $versions .= "MySQL " . PMA_MYSQL_STR_VERSION; $print_view_header = ''; $print_view_header .= "<h1>" . __('SQL result') . "</h1>"; $print_view_header .= "<p>"; $print_view_header .= "<strong>" . __('Host:') . "</strong> {$hostname}<br />"; $print_view_header .= "<strong>" . __('Database:') . "</strong> " . htmlspecialchars($db) . "<br />"; $print_view_header .= "<strong>" . __('Generation Time:') . "</strong> " . PMA_Util::localisedDate() . "<br />"; $print_view_header .= "<strong>" . __('Generated by:') . "</strong> {$versions}<br />"; $print_view_header .= "<strong>" . __('SQL query:') . "</strong> " . htmlspecialchars($sql_query) . ";"; if (isset($num_rows)) { $print_view_header .= "<br />"; $print_view_header .= "<strong>" . __('Rows:') . "</strong> {$num_rows}"; } $print_view_header .= "</p>"; } else { $print_view_header = null; } return $print_view_header; }
*/ if (!in_array($format, array('csv', 'ldi', 'mediawiki', 'ods', 'shp', 'sql', 'xml'))) { // this should not happen for a normal user // but only during an attack PMA_fatalError('Incorrect format parameter'); } $post_patterns = array('/^force_file_/', '/^' . $format . '_/'); foreach (array_keys($_POST) as $post_key) { foreach ($post_patterns as $one_post_pattern) { if (preg_match($one_post_pattern, $post_key)) { $GLOBALS[$post_key] = $_POST[$post_key]; } } } // Check needed parameters PMA_Util::checkParameters(array('import_type', 'format')); // We don't want anything special in format $format = PMA_securePath($format); // Import functions require_once 'libraries/import.lib.php'; // Create error and goto url if ($import_type == 'table') { $err_url = 'tbl_import.php?' . PMA_URL_getCommon($db, $table); $_SESSION['Import_message']['go_back_url'] = $err_url; $goto = 'tbl_import.php'; } elseif ($import_type == 'database') { $err_url = 'db_import.php?' . PMA_URL_getCommon($db); $_SESSION['Import_message']['go_back_url'] = $err_url; $goto = 'db_import.php'; } elseif ($import_type == 'server') { $err_url = 'server_import.php?' . PMA_URL_getCommon();
/** * Sets globals from $_POST * * - Please keep the parameters in order of their appearance in the form * - Some of these parameters are not used, as the code below directly * verifies from the superglobal $_POST or $_REQUEST */ $post_params = array('db', 'table', 'single_table', 'export_type', 'export_method', 'quick_or_custom', 'db_select', 'table_select', 'limit_to', 'limit_from', 'allrows', 'output_format', 'filename_template', 'maxsize', 'remember_template', 'charset_of_file', 'compression', 'what', 'knjenc', 'xkana', 'htmlword_structure_or_data', 'htmlword_null', 'htmlword_columns', 'mediawiki_headers', 'mediawiki_structure_or_data', 'mediawiki_caption', 'pdf_structure_or_data', 'odt_structure_or_data', 'odt_relation', 'odt_comments', 'odt_mime', 'odt_columns', 'odt_null', 'codegen_structure_or_data', 'codegen_format', 'excel_null', 'excel_removeCRLF', 'excel_columns', 'excel_edition', 'excel_structure_or_data', 'yaml_structure_or_data', 'ods_null', 'ods_structure_or_data', 'ods_columns', 'json_structure_or_data', 'xml_structure_or_data', 'xml_export_events', 'xml_export_functions', 'xml_export_procedures', 'xml_export_tables', 'xml_export_triggers', 'xml_export_views', 'xml_export_contents', 'texytext_structure_or_data', 'texytext_columns', 'texytext_null', 'phparray_structure_or_data', 'sql_include_comments', 'sql_header_comment', 'sql_dates', 'sql_relation', 'sql_mime', 'sql_use_transaction', 'sql_disable_fk', 'sql_compatibility', 'sql_structure_or_data', 'sql_create_database', 'sql_drop_table', 'sql_procedure_function', 'sql_create_table_statements', 'sql_create_table', 'sql_create_view', 'sql_create_trigger', 'sql_if_not_exists', 'sql_auto_increment', 'sql_backquotes', 'sql_truncate', 'sql_delayed', 'sql_ignore', 'sql_type', 'sql_insert_syntax', 'sql_max_query_size', 'sql_hex_for_binary', 'sql_utc_time', 'sql_drop_database', 'sql_views_as_tables', 'csv_separator', 'csv_enclosed', 'csv_escaped', 'csv_terminated', 'csv_null', 'csv_removeCRLF', 'csv_columns', 'csv_structure_or_data', 'latex_caption', 'latex_structure_or_data', 'latex_structure_caption', 'latex_structure_continued_caption', 'latex_structure_label', 'latex_relation', 'latex_comments', 'latex_mime', 'latex_columns', 'latex_data_caption', 'latex_data_continued_caption', 'latex_data_label', 'latex_null'); foreach ($post_params as $one_post_param) { if (isset($_POST[$one_post_param])) { $GLOBALS[$one_post_param] = $_POST[$one_post_param]; } } // sanitize this parameter which will be used below in a file inclusion $what = PMA_securePath($what); PMA_Util::checkParameters(array('what', 'export_type')); // export class instance, not array of properties, as before $export_plugin = PMA_getPlugin("export", $what, 'libraries/plugins/export/', array('export_type' => $export_type, 'single_table' => isset($single_table))); // Backward compatibility $type = $what; // Check export type if (!isset($export_plugin)) { PMA_fatalError(__('Bad type!')); } /** * valid compression methods */ $compression_methods = array('zip', 'gzip'); /** * init and variable checking */
*/ if (!defined('PHPMYADMIN')) { exit; } /** * limits for table list */ if (!isset($_SESSION['tmp_user_values']['table_limit_offset']) || $_SESSION['tmp_user_values']['table_limit_offset_db'] != $db) { $_SESSION['tmp_user_values']['table_limit_offset'] = 0; $_SESSION['tmp_user_values']['table_limit_offset_db'] = $db; } if (isset($_REQUEST['pos'])) { $_SESSION['tmp_user_values']['table_limit_offset'] = (int) $_REQUEST['pos']; } $pos = $_SESSION['tmp_user_values']['table_limit_offset']; PMA_Util::checkParameters(array('db')); /** * @global bool whether to display extended stats */ $is_show_stats = $cfg['ShowStats']; /** * @global bool whether selected db is information_schema */ $db_is_information_schema = false; if (PMA_is_system_schema($db)) { $is_show_stats = false; $db_is_information_schema = true; } /** * @global array information about tables in db */
/** * Handles some variables that may have been sent by the calling script * Note: this can be called also from the db panel to get the privileges of * a db, in which case we want to keep displaying the tabs of * the Database panel */ if (empty($viewing_mode)) { $db = $table = ''; } /** * Set parameters for links */ $url_query = PMA_generate_common_url($db); /** * Defines the urls to return to in case of error in a sql statement */ $err_url = 'index.php' . $url_query; /** * @global boolean Checks for superuser privileges */ $is_superuser = PMA_isSuperuser(); // now, select the mysql db if ($is_superuser && !PMA_DRIZZLE) { PMA_DBI_select_db('mysql', $userlink); } /** * @global array binary log files */ $binary_logs = PMA_DRIZZLE ? null : PMA_DBI_fetch_result('SHOW MASTER LOGS', 'Log_name', null, null, PMA_DBI_QUERY_STORE); PMA_Util::checkParameters(array('is_superuser', 'url_query'), false);
if (isset($_REQUEST['orig_field'])) { $_REQUEST['field'] = $_REQUEST['orig_field']; } $regenerate = true; } } /** * No modifications yet required -> displays the table fields * * $selected comes from multi_submits.inc.php */ if ($abort == false) { if (! isset($selected)) { PMA_Util::checkParameters(array('field')); $selected[] = $_REQUEST['field']; $selected_cnt = 1; } else { // from a multiple submit $selected_cnt = count($selected); } /** * @todo optimize in case of multiple fields to modify */ for ($i = 0; $i < $selected_cnt; $i++) { $fields_meta[] = PMA_DBI_get_columns($db, $table, $selected[$i], true); } $num_fields = count($fields_meta); $action = 'tbl_alter.php';
if (!empty($sql_data) && $sql_data['valid_queries'] > 1) { $_SESSION['is_multi_query'] = true; echo getTableHtmlForMultipleQueries($displayResultsObject, $db, $sql_data, $goto, $pmaThemeImage, $text_dir, $printview, $url_query, $disp_mode, $sql_limit_to_append, false); } else { $_SESSION['is_multi_query'] = false; $displayResultsObject->setProperties($unlim_num_rows, $fields_meta, $is_count, $is_export, $is_func, $is_analyse, $num_rows, $fields_cnt, $querytime, $pmaThemeImage, $text_dir, $is_maint, $is_explain, $is_show, $showtable, $printview, $url_query, false); echo $displayResultsObject->getTable($result, $disp_mode, $analyzed_sql); exit; } } // Displays the headers if (isset($show_query)) { unset($show_query); } if (isset($printview) && $printview == '1') { PMA_Util::checkParameters(array('db', 'full_sql_query')); $response = PMA_Response::getInstance(); $header = $response->getHeader(); $header->enablePrintView(); $hostname = ''; if ($cfg['Server']['verbose']) { $hostname = $cfg['Server']['verbose']; } else { $hostname = $cfg['Server']['host']; if (!empty($cfg['Server']['port'])) { $hostname .= $cfg['Server']['port']; } } $versions = "phpMyAdmin " . PMA_VERSION; $versions .= " / "; $versions .= "MySQL " . PMA_MYSQL_STR_VERSION;
/** * Common functions. */ require_once 'libraries/common.inc.php'; require_once 'libraries/mime.lib.php'; /** * Sets globals from $_GET */ $get_params = array('where_clause', 'transform_key'); foreach ($get_params as $one_get_param) { if (isset($_GET[$one_get_param])) { $GLOBALS[$one_get_param] = $_GET[$one_get_param]; } } /* Check parameters */ PMA_Util::checkParameters(array('db', 'table', 'where_clause', 'transform_key')); /* Select database */ if (!PMA_DBI_select_db($db)) { PMA_Util::mysqlDie(sprintf(__('\'%s\' database does not exist.'), htmlspecialchars($db)), '', ''); } /* Check if table exists */ if (!PMA_DBI_get_columns($db, $table)) { PMA_Util::mysqlDie(__('Invalid table name')); } /* Grab data */ $sql = 'SELECT ' . PMA_Util::backquote($transform_key) . ' FROM ' . PMA_Util::backquote($table) . ' WHERE ' . $where_clause . ';'; $result = PMA_DBI_fetch_value($sql); /* Check return code */ if ($result === false) { PMA_Util::mysqlDie(__('MySQL returned an empty result set (i.e. zero rows).'), $sql); }
/* vim: set expandtab sw=4 ts=4 sts=4: */ /** * Display form for changing/adding table fields/columns. * Included by tbl_addfield.php and tbl_create.php * * @package PhpMyAdmin */ if (!defined('PHPMYADMIN')) { exit; } /** * Check parameters */ require_once './libraries/Util.class.php'; PMA_Util::checkParameters(['db', 'table', 'action', 'num_fields']); // Get available character sets and storage engines require_once './libraries/mysql_charsets.lib.php'; require_once './libraries/StorageEngine.class.php'; /** * Class for partition management */ require_once './libraries/Partition.class.php'; /** * We are in transition between old-style echo and new-style PMA_Response * so this script generates $html and at the bottom, either echos it * or uses addHTML on it. * * Initialize $html in case this variable was used by a caller * (yes, this script should be refactored into functions) */
include 'libraries/db_common.inc.php'; include 'libraries/db_info.inc.php'; } $response = PMA_Response::getInstance(); $header = $response->getHeader(); $header->enablePrintView(); /** * Gets the relations settings */ $cfgRelation = PMA_getRelationsParam(); require_once 'libraries/transformations.lib.php'; require_once 'libraries/Index.class.php'; /** * Check parameters */ PMA_Util::checkParameters(['db']); /** * Defines the url to return to in case of error in a sql statement */ if (strlen($table)) { $err_url = 'tbl_sql.php?' . PMA_generate_common_url($db, $table); } else { $err_url = 'db_sql.php?' . PMA_generate_common_url($db); } if ($cfgRelation['commwork']) { $comment = PMA_getDbComment($db); /** * Displays DB comment */ if ($comment) { echo '<p>' . __('Database comment: ') . '<i>' . htmlspecialchars($comment) . '</i></p>';