/** * Test for PMA_getSqlQueryForDisplayPrivTable * * @return void */ public function testPMAGetSqlQueryForDisplayPrivTable() { $username = "******"; $db = '*'; $table = "pma_table"; $hostname = "pma_hostname"; //$db == '*' $ret = PMA_getSqlQueryForDisplayPrivTable($db, $table, $username, $hostname); $sql = "SELECT * FROM `mysql`.`user`" . " WHERE `User` = '" . PMA_Util::sqlAddSlashes($username) . "'" . " AND `Host` = '" . PMA_Util::sqlAddSlashes($hostname) . "';"; $this->assertEquals($sql, $ret); //$table == '*' $db = "pma_db"; $table = "*"; $ret = PMA_getSqlQueryForDisplayPrivTable($db, $table, $username, $hostname); $sql = "SELECT * FROM `mysql`.`db`" . " WHERE `User` = '" . PMA_Util::sqlAddSlashes($username) . "'" . " AND `Host` = '" . PMA_Util::sqlAddSlashes($hostname) . "'" . " AND '" . PMA_Util::unescapeMysqlWildcards($db) . "'" . " LIKE `Db`;"; $this->assertEquals($sql, $ret); //$table == 'pma_table' $db = "pma_db"; $table = "pma_table"; $ret = PMA_getSqlQueryForDisplayPrivTable($db, $table, $username, $hostname); $sql = "SELECT `Table_priv`" . " FROM `mysql`.`tables_priv`" . " WHERE `User` = '" . PMA_Util::sqlAddSlashes($username) . "'" . " AND `Host` = '" . PMA_Util::sqlAddSlashes($hostname) . "'" . " AND `Db` = '" . PMA_Util::unescapeMysqlWildcards($db) . "'" . " AND `Table_name` = '" . PMA_Util::sqlAddSlashes($table) . "';"; $this->assertEquals($sql, $ret); }
/** * Get HTML snippet for display user properties * * @param boolean $dbname_is_wildcard whether database name is wildcard or not * @param string $url_dbname url database name that urlencode() string * @param string $username username * @param string $hostname host name * @param string $dbname database name * @param string $tablename table name * * @return string $html_output */ function PMA_getHtmlForUserProperties($dbname_is_wildcard, $url_dbname, $username, $hostname, $dbname, $tablename) { $html_output = '<div id="edit_user_dialog">'; $html_output .= PMA_getHtmlHeaderForUserProperties($dbname_is_wildcard, $url_dbname, $dbname, $username, $hostname, $tablename); $sql = "SELECT '1' FROM `mysql`.`user`" . " WHERE `User` = '" . PMA_Util::sqlAddSlashes($username) . "'" . " AND `Host` = '" . PMA_Util::sqlAddSlashes($hostname) . "';"; $user_does_not_exists = (bool) (!$GLOBALS['dbi']->fetchValue($sql)); if ($user_does_not_exists) { $html_output .= PMA_Message::error(__('The selected user was not found in the privilege table.'))->getDisplay(); $html_output .= PMA_getHtmlForLoginInformationFields(); //exit; } $_params = array('username' => $username, 'hostname' => $hostname); if (!is_array($dbname) && mb_strlen($dbname)) { $_params['dbname'] = $dbname; if (mb_strlen($tablename)) { $_params['tablename'] = $tablename; } } else { $_params['dbname'] = $dbname; } $html_output .= '<form class="submenu-item" name="usersForm" ' . 'id="addUsersForm" action="server_privileges.php" method="post">' . "\n"; $html_output .= PMA_URL_getHiddenInputs($_params); $html_output .= PMA_getHtmlToDisplayPrivilegesTable(PMA_ifSetOr($dbname, is_array($dbname) ? $dbname[0] : '*', 'length'), PMA_ifSetOr($tablename, '*', 'length')); $html_output .= '</form>' . "\n"; if (!is_array($dbname) && !mb_strlen($tablename) && empty($dbname_is_wildcard)) { // no table name was given, display all table specific rights // but only if $dbname contains no wildcards $html_output .= '<form class="submenu-item" action="server_privileges.php" ' . 'id="db_or_table_specific_priv" method="post">' . "\n"; // unescape wildcards in dbname at table level $unescaped_db = PMA_Util::unescapeMysqlWildcards($dbname); list($html_rightsTable, $found_rows) = PMA_getHtmlForAllTableSpecificRights($username, $hostname, $unescaped_db); $html_output .= $html_rightsTable; if (!mb_strlen($dbname)) { // no database name was given, display select db $html_output .= PMA_getHtmlForSelectDbInEditPrivs($found_rows); } else { $html_output .= PMA_displayTablesInEditPrivs($dbname, $found_rows); } $html_output .= '</fieldset>' . "\n"; $html_output .= '<fieldset class="tblFooters">' . "\n" . ' <input type="submit" value="' . __('Go') . '" />' . '</fieldset>' . "\n" . '</form>' . "\n"; } // Provide a line with links to the relevant database and table if (!is_array($dbname) && mb_strlen($dbname) && empty($dbname_is_wildcard)) { $html_output .= PMA_getLinkToDbAndTable($url_dbname, $dbname, $tablename); } if (!is_array($dbname) && !mb_strlen($dbname) && !$user_does_not_exists) { //change login information $html_output .= PMA_getHtmlForChangePassword($username, $hostname); $html_output .= PMA_getChangeLoginInformationHtmlForm($username, $hostname); } $html_output .= '</div>'; return $html_output; }
/** * Get HTML for display table in edit privilege * * @param string $dbname database naame * @param array $found_rows isset($dbname)) ? $row['Db'] : $row['Table_name'] * * @return string HTML snippet */ function PMA_displayTablesInEditPrivs($dbname, $found_rows) { $html_output = '<input type="hidden" name="dbname" ' . 'value="' . htmlspecialchars($dbname) . '"/>' . "\n"; $html_output .= '<label for="text_tablename">' . __('Add privileges on the following table') . ':</label>' . "\n"; $result = @PMA_DBI_try_query('SHOW TABLES FROM ' . PMA_Util::backquote(PMA_Util::unescapeMysqlWildcards($dbname)) . ';', null, PMA_DBI_QUERY_STORE); if ($result) { $pred_tbl_array = array(); while ($row = PMA_DBI_fetch_row($result)) { if (!isset($found_rows) || !in_array($row[0], $found_rows)) { $pred_tbl_array[] = $row[0]; } } PMA_DBI_free_result($result); if (!empty($pred_tbl_array)) { $html_output .= '<select name="pred_tablename" ' . 'class="autosubmit">' . "\n" . '<option value="" selected="selected">' . __('Use text field') . ':</option>' . "\n"; foreach ($pred_tbl_array as $current_table) { $html_output .= '<option ' . 'value="' . htmlspecialchars($current_table) . '">' . htmlspecialchars($current_table) . '</option>' . "\n"; } $html_output .= '</select>' . "\n"; } } $html_output .= '<input type="text" id="text_tablename" name="tablename" />' . "\n"; return $html_output; }
/** * checks the only_db configuration * * @return boolean false if there is no only_db, otherwise true */ protected function checkOnlyDatabase() { if (is_string($GLOBALS['cfg']['Server']['only_db']) && strlen($GLOBALS['cfg']['Server']['only_db'])) { $GLOBALS['cfg']['Server']['only_db'] = array($GLOBALS['cfg']['Server']['only_db']); } if (!is_array($GLOBALS['cfg']['Server']['only_db'])) { return false; } $items = array(); foreach ($GLOBALS['cfg']['Server']['only_db'] as $each_only_db) { // check if the db name contains wildcard, // thus containing not escaped _ or % if (!preg_match('/(^|[^\\\\])(_|%)/', $each_only_db)) { // ... not contains wildcard $items[] = PMA_Util::unescapeMysqlWildcards($each_only_db); continue; } if ($this->can_retrieve_databases) { $items = array_merge($items, $this->retrieve($each_only_db)); continue; } } $this->exchangeArray($items); return true; }
/** * PMA_Util::unescapeMysqlWildcards tests * * @param string $a String to escape * @param string $b Expected value * * @return void * * @dataProvider escapeDataProvider */ public function testUnEscape($a, $b) { $this->assertEquals($b, PMA_Util::unescapeMysqlWildcards($a)); }
} elseif (PMA_isValid($_REQUEST['tablename'])) { $tablename = $_REQUEST['tablename']; } else { unset($tablename); } if (PMA_isValid($_REQUEST['pred_dbname'])) { $dbname = $_REQUEST['pred_dbname']; unset($pred_dbname); } elseif (PMA_isValid($_REQUEST['dbname'])) { $dbname = $_REQUEST['dbname']; } else { unset($dbname); unset($tablename); } if (isset($dbname)) { $unescaped_db = PMA_Util::unescapeMysqlWildcards($dbname); $db_and_table = PMA_Util::backquote($unescaped_db) . '.'; if (isset($tablename)) { $db_and_table .= PMA_Util::backquote($tablename); } else { $db_and_table .= '*'; } } else { $db_and_table = '*.*'; } // check if given $dbname is a wildcard or not if (isset($dbname)) { //if (preg_match('/\\\\(?:_|%)/i', $dbname)) { if (preg_match('/(?<!\\\\)(?:_|%)/i', $dbname)) { $dbname_is_wildcard = true; } else {
/** * checks the only_db configuration * * @return boolean false if there is no only_db, otherwise true */ protected function checkOnlyDatabase() { if (is_string($GLOBALS['cfg']['Server']['only_db']) && strlen($GLOBALS['cfg']['Server']['only_db'])) { $GLOBALS['cfg']['Server']['only_db'] = array($GLOBALS['cfg']['Server']['only_db']); } if (!is_array($GLOBALS['cfg']['Server']['only_db'])) { return false; } $items = array(); foreach ($GLOBALS['cfg']['Server']['only_db'] as $each_only_db) { // check if the db name contains wildcard, // thus containing not escaped _ or % if (!preg_match('/(^|[^\\\\])(_|%)/', $each_only_db)) { // ... not contains wildcard $items[] = PMA_Util::unescapeMysqlWildcards($each_only_db); continue; } if (!$this->show_databases_disabled) { $items = array_merge($items, $this->retrieve($each_only_db)); continue; } // @todo induce error, about not using wildcards // with SHOW DATABASE disabled? } $this->exchangeArray($items); return true; }