Hey,
I'm having some problems with the "Create Database" form being shown on the front page, even if the user does not have permission to create a new database.
I traced the problem down to line 246 in main.php (r: 2.8.2.1):
else if (ereg($re0 . '%|_', $show_grants_dbname) || !PMA_mysql_select_db($show_grants_dbname, $userlink) && @mysql_errno() != 1044) {
Where it is the ereg($re0 . '%|_', $show_grants_dbname) parts that returns true (1).
Now, I don't really know what this ereg() does, except for this part: $re0 = '(^|(\\\\)+|[^])'; Which I am sorry to say I don't understand.
So, I'm willing to fix the problem on my own (and submit a patch), if I could just get past this point. The problem is that my GRANT line looks like this:
GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, CREATE TEMPORARY TABLES, LOCK TABLES ON `domain_net_db`.* TO 'domain_net'@'%'
Which makes $show_grants_dbname contain `domain_net_db` and makes the ereg() return 1.
So in other words, what does the ereg do?
Thanks for any help
Hi Tom! :)
Where it is the ereg($re0 . '%|_', $show_grants_dbname) parts that returns true (1).
Now, I don't really know what this ereg() does, except for this part: $re0 = '(^|(\\\\)+|[^])'; Which I am sorry to say I don't understand.
AFAIR the regex is there to check if you have any grant for the user available which contains wildcards for a DB name. PMA automagically displays the create form if it detects that you have wildcard grants, because it's then possible for the user to create one or multiple DBs.
As you are using an underscore in your grant, that one acts as a wildcard character; thus your user is effectively able to create databases matching that wildcard scheme.
See our FAQ 6.10 or this recent support request https://sourceforge.net/tracker/?func=detail&atid=377408&aid=965109&... for more information on that issue.
Regards, Garvin.
Garvin Hicking wrote:
Hi Tom! :)
Hey Garv, somehow I know you would answer :)
Where it is the ereg($re0 . '%|_', $show_grants_dbname) parts that returns true (1).
Now, I don't really know what this ereg() does, except for this part: $re0 = '(^|(\\\\)+|[^])'; Which I am sorry to say I don't understand.
As you are using an underscore in your grant, that one acts as a wildcard character; thus your user is effectively able to create databases matching that wildcard scheme.
See our FAQ 6.10 or this recent support request https://sourceforge.net/tracker/?func=detail&atid=377408&aid=965109&... for more information on that issue.
I see, okay I can understand it's function and it's purpose now. I will just hack around it on my servers.
Thanks
Hey, Tom!
Hey Garv, somehow I know you would answer :)
Always a pleasure ;)
I see, okay I can understand it's function and it's purpose now. I will just hack around it on my servers.
Okay; however the best way would probably be to just use escaped _ characters in your GRANT statements, respectively the privileges tables...
Regards, Garvin.
Garvin Hicking wrote:
I see, okay I can understand it's function and it's purpose now. I will just hack around it on my servers.
Okay; however the best way would probably be to just use escaped _ characters in your GRANT statements, respectively the privileges tables...
Yeah but I have about 2500 databases (with permissions) on several servers which are not created that way (I didn't write the scripts :) )
I will adjust the scripts to escape the underscore in the future, and maybe some day make a script which fixes the old GRANTS :)
Hi Tom,
Tom Sommer wrote:
Garvin Hicking wrote:
I see, okay I can understand it's function and it's purpose now. I will just hack around it on my servers.
Okay; however the best way would probably be to just use escaped _ characters in your GRANT statements, respectively the privileges tables...
Yeah but I have about 2500 databases (with permissions) on several servers which are not created that way (I didn't write the scripts :) )
I will adjust the scripts to escape the underscore in the future, and maybe some day make a script which fixes the old GRANTS :)
Even if you would hack into phpMyAdmin to disable the database creation form, the users would still be able to create databases by submitting a CREATE DATABASE query.
btw, I think we have a users mailing list for discussions like this ;-)
Regards,
Alexander M. Turek wrote:
Okay; however the best way would probably be to just use escaped _ characters in your GRANT statements, respectively the privileges tables...
Yeah but I have about 2500 databases (with permissions) on several servers which are not created that way (I didn't write the scripts :) )
I will adjust the scripts to escape the underscore in the future, and maybe some day make a script which fixes the old GRANTS :)
Even if you would hack into phpMyAdmin to disable the database creation form, the users would still be able to create databases by submitting a CREATE DATABASE query.
I know, trust me, but right now customers are mostly wondering why they get permission errors, when phpMyAdmin says they can create databases :)
Anyway, I removed the hack (cvs -C main.php) and escaped the GRANT query, and while $show_grants_dbname now contains string(20) "`dreamcoder_dk_db`" it still shows the Create Database form. I traced the code down to the the ereg() and it still evals to int(1) which sets $is_create_priv to TRUE. It seems to me that $show_grants_dbname should contain quoted quotes: `dreamcoder\_dk\_db` to work properly with ereg()? This should be done by PMA? Could someone (knowing the code) just do a quick check?
Dunno if this is my fault, the GRANT query seems to be fine now and I can't create databases matching the wildcard anymore.
Sorry if this belongs on the users list.
-
Alexander M. Turek -
Garvin Hicking -
Tom Sommer - dreamcoder.dk