The branch, master has been updated via 12348ee826d45dd2ae7f1c5b055f71e888395f2a (commit) via c9c9fdf49dfde051ce4b94ed8b9f6acc86e25a62 (commit) from 6a422caf527226740155c7e3682f2f3c61a85696 (commit)

- Log ----------------------------------------------------------------- commit 12348ee826d45dd2ae7f1c5b055f71e888395f2a Author: Michal Čihař mcihar@suse.cz Date: Mon Jun 27 14:50:16 2011 +0200

Fix escaping on LIKE queries

All these need special variant of PMA_sqlAddSlashes.

commit c9c9fdf49dfde051ce4b94ed8b9f6acc86e25a62 Author: Michal Čihař mcihar@suse.cz Date: Mon Jun 27 14:48:15 2011 +0200

Consistent capitalisation of PMA_sqlAddSlashes

-----------------------------------------------------------------------

Summary of changes: db_operations.php | 4 +- db_printview.php | 2 +- db_routines.php | 6 +- db_search.php | 6 +- db_tracking.php | 4 +- import.php | 2 +- libraries/List_Database.class.php | 4 +- libraries/RecentTable.class.php | 2 +- libraries/Table.class.php | 136 ++++++++++---------- libraries/Tracker.class.php | 76 ++++++------ libraries/blobstreaming.lib.php | 8 +- libraries/bookmark.lib.php | 14 +- libraries/common.lib.php | 12 +- libraries/database_interface.lib.php | 16 ++-- libraries/db_events.inc.php | 2 +- libraries/db_info.inc.php | 2 +- libraries/db_routines.lib.php | 6 +- libraries/db_table_exists.lib.php | 2 +- libraries/display_tbl.lib.php | 2 +- libraries/export/sql.php | 8 +- libraries/import.lib.php | 2 +- libraries/import/docsql.php | 20 ++-- libraries/import/ldi.php | 6 +- libraries/relation.lib.php | 64 +++++----- libraries/relation_cleanup.lib.php | 64 +++++----- libraries/schema/Dia_Relation_Schema.class.php | 4 +- libraries/schema/Eps_Relation_Schema.class.php | 4 +- libraries/schema/Export_Relation_Schema.class.php | 4 +- libraries/schema/Pdf_Relation_Schema.class.php | 6 +- libraries/schema/Svg_Relation_Schema.class.php | 4 +- libraries/schema/User_Schema.class.php | 42 +++--- libraries/schema/Visio_Relation_Schema.class.php | 4 +- libraries/server_synchronize.lib.php | 6 +- libraries/tbl_replace_fields.inc.php | 6 +- libraries/transformations.lib.php | 34 +++--- libraries/user_preferences.lib.php | 12 +- pmd_display_field.php | 16 ++-- pmd_pdf.php | 10 +- pmd_relation_new.php | 12 +- pmd_relation_upd.php | 12 +- pmd_save_pos.php | 16 ++-- server_privileges.php | 102 ++++++++-------- server_replication.php | 8 +- sql.php | 2 +- tbl_alter.php | 2 +- tbl_create.php | 6 +- tbl_operations.php | 6 +- tbl_relation.php | 46 ++++---- tbl_replace.php | 4 +- tbl_select.php | 8 +- tbl_tracking.php | 6 +- test/PMA_quoting_slashing_test.php | 16 ++-- user_password.php | 2 +- 53 files changed, 435 insertions(+), 435 deletions(-)

diff --git a/db_operations.php b/db_operations.php index dd6255c..190f9b6 100644 --- a/db_operations.php +++ b/db_operations.php @@ -232,7 +232,7 @@ if (strlen($db) && (! empty($db_rename) || ! empty($db_copy))) { // to avoid selecting alternatively the current and new db // we would need to modify the CREATE definitions to qualify // the db name - $event_names = PMA_DBI_fetch_result('SELECT EVENT_NAME FROM information_schema.EVENTS WHERE EVENT_SCHEMA= '' . PMA_sqlAddslashes($db,true) . '';'); + $event_names = PMA_DBI_fetch_result('SELECT EVENT_NAME FROM information_schema.EVENTS WHERE EVENT_SCHEMA= '' . PMA_sqlAddSlashes($db,true) . '';'); if ($event_names) { foreach($event_names as $event_name) { PMA_DBI_select_db($db); @@ -586,7 +586,7 @@ if ($cfgRelation['pdfwork'] && $num_tables > 0) { ?> $test_query = ' SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']) . ' - WHERE db_name = '' . PMA_sqlAddslashes($db) . '''; + WHERE db_name = '' . PMA_sqlAddSlashes($db) . '''; $test_rs = PMA_query_as_controluser($test_query, null, PMA_DBI_QUERY_STORE);

/* diff --git a/db_printview.php b/db_printview.php index 3b02b86..e253411 100644 --- a/db_printview.php +++ b/db_printview.php @@ -53,7 +53,7 @@ if ($cfg['SkipLockedTables'] == true) { if ($result != false && PMA_DBI_num_rows($result) > 0) { while ($tmp = PMA_DBI_fetch_row($result)) { if (! isset($sot_cache[$tmp[0]])) { - $sts_result = PMA_DBI_query('SHOW TABLE STATUS FROM ' . PMA_backquote($db) . ' LIKE '' . PMA_sqlAddSlashes($tmp[0]) . '';'); + $sts_result = PMA_DBI_query('SHOW TABLE STATUS FROM ' . PMA_backquote($db) . ' LIKE '' . PMA_sqlAddSlashes($tmp[0], true) . '';'); $sts_tmp = PMA_DBI_fetch_assoc($sts_result); $tables[] = $sts_tmp; } else { // table in use diff --git a/db_routines.php b/db_routines.php index 4b0b23f..b9417fd 100644 --- a/db_routines.php +++ b/db_routines.php @@ -253,8 +253,8 @@ if (! empty($_REQUEST['execute_routine']) && ! empty($_REQUEST['routine_name'])) $routine_name = htmlspecialchars(PMA_backquote($_GET['routine_name'])); $routine_type = PMA_DBI_fetch_value("SELECT ROUTINE_TYPE " . "FROM INFORMATION_SCHEMA.ROUTINES " - . "WHERE ROUTINE_SCHEMA='" . PMA_sqlAddslashes($db) . "' " - . "AND SPECIFIC_NAME='" . PMA_sqlAddslashes($_GET['routine_name']) . "';"); + . "WHERE ROUTINE_SCHEMA='" . PMA_sqlAddSlashes($db) . "' " + . "AND SPECIFIC_NAME='" . PMA_sqlAddSlashes($_GET['routine_name']) . "';"); if (! empty($routine_type) && $create_proc = PMA_DBI_get_definition($db, $routine_type, $_GET['routine_name'])) { $create_proc = '<textarea cols="40" rows="15" style="width: 100%;">' . htmlspecialchars($create_proc) . '</textarea>'; if ($GLOBALS['is_ajax_request']) { @@ -347,7 +347,7 @@ if (! empty($_REQUEST['execute_routine']) && ! empty($_REQUEST['routine_name'])) $extra_data = array(); if ($message->isSuccess()) { $columns = "`SPECIFIC_NAME`, `ROUTINE_NAME`, `ROUTINE_TYPE`, `DTD_IDENTIFIER`, `ROUTINE_DEFINITION`"; - $where = "ROUTINE_SCHEMA='" . PMA_sqlAddslashes($db) . "' AND ROUTINE_NAME='" . PMA_sqlAddslashes($_REQUEST['routine_name']) . "'"; + $where = "ROUTINE_SCHEMA='" . PMA_sqlAddSlashes($db) . "' AND ROUTINE_NAME='" . PMA_sqlAddSlashes($_REQUEST['routine_name']) . "'"; $routine = PMA_DBI_fetch_single_row("SELECT $columns FROM `INFORMATION_SCHEMA`.`ROUTINES` WHERE $where;"); $extra_data['name'] = htmlspecialchars(strtoupper($_REQUEST['routine_name'])); $extra_data['new_row'] = PMA_RTN_getRowForRoutinesList($routine, 0, true); diff --git a/db_search.php b/db_search.php index ea50569..69350cd 100644 --- a/db_search.php +++ b/db_search.php @@ -61,11 +61,11 @@ if (empty($_REQUEST['search_str']) || ! is_string($_REQUEST['search_str'])) { $searched = htmlspecialchars($_REQUEST['search_str']); // For "as regular expression" (search option 4), we should not treat // this as an expression that contains a LIKE (second parameter of - // PMA_sqlAddslashes()). + // PMA_sqlAddSlashes()). // // Usage example: If user is seaching for a literal $ in a regexp search, // he should enter $ as the value. - $search_str = PMA_sqlAddslashes($_REQUEST['search_str'], ($search_option == 4 ? false : true)); + $search_str = PMA_sqlAddSlashes($_REQUEST['search_str'], ($search_option == 4 ? false : true)); }

$tables_selected = array(); @@ -84,7 +84,7 @@ if (isset($_REQUEST['selectall'])) { if (empty($_REQUEST['field_str']) || ! is_string($_REQUEST['field_str'])) { unset($field_str); } else { - $field_str = PMA_sqlAddslashes($_REQUEST['field_str'], true); + $field_str = PMA_sqlAddSlashes($_REQUEST['field_str'], true); }

/** diff --git a/db_tracking.php b/db_tracking.php index c0421d6..3a9b695 100644 --- a/db_tracking.php +++ b/db_tracking.php @@ -67,7 +67,7 @@ require_once './libraries/db_links.inc.php'; $all_tables_query = ' SELECT table_name, MAX(version) as version FROM ' . PMA_backquote($GLOBALS['cfg']['Server']['pmadb']) . '.' . PMA_backquote($GLOBALS['cfg']['Server']['tracking']) . - ' WHERE ' . PMA_backquote('db_name') . ' = '' . PMA_sqlAddslashes($_REQUEST['db']) . '' ' . + ' WHERE ' . PMA_backquote('db_name') . ' = '' . PMA_sqlAddSlashes($_REQUEST['db']) . '' ' . ' GROUP BY '. PMA_backquote('table_name') . ' ORDER BY '. PMA_backquote('table_name') .' ASC';

@@ -110,7 +110,7 @@ if (PMA_DBI_num_rows($all_tables_result) > 0) { $table_query = ' SELECT * FROM ' . PMA_backquote($GLOBALS['cfg']['Server']['pmadb']) . '.' . PMA_backquote($GLOBALS['cfg']['Server']['tracking']) . - ' WHERE `db_name` = '' . PMA_sqlAddslashes($_REQUEST['db']) . '' AND `table_name` = '' . PMA_sqlAddslashes($table_name) . '' AND `version` = '' . $version_number . '''; + ' WHERE `db_name` = '' . PMA_sqlAddSlashes($_REQUEST['db']) . '' AND `table_name` = '' . PMA_sqlAddSlashes($table_name) . '' AND `version` = '' . $version_number . ''';

$table_result = PMA_query_as_controluser($table_query); $version_data = PMA_DBI_fetch_array($table_result); diff --git a/import.php b/import.php index 6506dc8..afc513c 100644 --- a/import.php +++ b/import.php @@ -153,7 +153,7 @@ if (!empty($id_bookmark)) { case 0: // bookmarked query that have to be run $import_text = PMA_Bookmark_get($db, $id_bookmark, 'id', isset($action_bookmark_all)); if (isset($bookmark_variable) && !empty($bookmark_variable)) { - $import_text = preg_replace('|/*(.*)[VARIABLE](.*)*/|imsU', '${1}' . PMA_sqlAddslashes($bookmark_variable) . '${2}', $import_text); + $import_text = preg_replace('|/*(.*)[VARIABLE](.*)*/|imsU', '${1}' . PMA_sqlAddSlashes($bookmark_variable) . '${2}', $import_text); }

// refresh left frame on changes in table or db structure diff --git a/libraries/List_Database.class.php b/libraries/List_Database.class.php index 2349852..bf1d468 100644 --- a/libraries/List_Database.class.php +++ b/libraries/List_Database.class.php @@ -423,7 +423,7 @@ require_once './libraries/List.class.php'; SELECT DISTINCT `Db` FROM `mysql`.`db` WHERE `Select_priv` = 'Y' AND `User` - IN ('" . PMA_sqlAddslashes($GLOBALS['cfg']['Server']['user']) . "', '')"; + IN ('" . PMA_sqlAddSlashes($GLOBALS['cfg']['Server']['user']) . "', '')"; $tmp_mydbs = PMA_DBI_fetch_result($local_query, null, null, $GLOBALS['controllink']); if ($tmp_mydbs) { @@ -471,7 +471,7 @@ require_once './libraries/List.class.php'; } // end if

// 2. get allowed dbs from the "mysql.tables_priv" table - $local_query = 'SELECT DISTINCT Db FROM mysql.tables_priv WHERE Table_priv LIKE '%Select%' AND User = '' . PMA_sqlAddslashes($GLOBALS['cfg']['Server']['user']) . '''; + $local_query = 'SELECT DISTINCT Db FROM mysql.tables_priv WHERE Table_priv LIKE '%Select%' AND User = '' . PMA_sqlAddSlashes($GLOBALS['cfg']['Server']['user']) . '''; $rs = PMA_DBI_try_query($local_query, $GLOBALS['controllink']); if ($rs && @PMA_DBI_num_rows($rs)) { while ($row = PMA_DBI_fetch_assoc($rs)) { diff --git a/libraries/RecentTable.class.php b/libraries/RecentTable.class.php index 5a53a41..f844bbc 100644 --- a/libraries/RecentTable.class.php +++ b/libraries/RecentTable.class.php @@ -99,7 +99,7 @@ class PMA_RecentTable $username = $GLOBALS['cfg']['Server']['user']; $sql_query = " REPLACE INTO " . $this->pma_table . " (`username`, `tables`)" . - " VALUES ('" . $username . "', '" . PMA_sqlAddslashes(json_encode($this->tables)) . "')"; + " VALUES ('" . $username . "', '" . PMA_sqlAddSlashes(json_encode($this->tables)) . "')";

$success = PMA_DBI_try_query($sql_query, $GLOBALS['controllink']);

diff --git a/libraries/Table.class.php b/libraries/Table.class.php index baa677f..0acd2d9 100644 --- a/libraries/Table.class.php +++ b/libraries/Table.class.php @@ -378,7 +378,7 @@ class PMA_Table } elseif ($type == 'BIT') { $query .= ' DEFAULT b'' . preg_replace('/[^01]/', '0', $default_value) . '''; } else { - $query .= ' DEFAULT '' . PMA_sqlAddslashes($default_value) . '''; + $query .= ' DEFAULT '' . PMA_sqlAddSlashes($default_value) . '''; } break; case 'NULL' : @@ -421,7 +421,7 @@ class PMA_Table } // end if (auto_increment) } if (!empty($comment)) { - $query .= " COMMENT '" . PMA_sqlAddslashes($comment) . "'"; + $query .= " COMMENT '" . PMA_sqlAddSlashes($comment) . "'"; } return $query; } // end function @@ -549,14 +549,14 @@ class PMA_Table $where_parts = array(); foreach ($where_fields as $_where => $_value) { $where_parts[] = PMA_backquote($_where) . ' = '' - . PMA_sqlAddslashes($_value) . '''; + . PMA_sqlAddSlashes($_value) . '''; }

$new_parts = array(); $new_value_parts = array(); foreach ($new_fields as $_where => $_value) { $new_parts[] = PMA_backquote($_where); - $new_value_parts[] = PMA_sqlAddslashes($_value); + $new_value_parts[] = PMA_sqlAddSlashes($_value); }

$table_copy_query = ' @@ -574,7 +574,7 @@ class PMA_Table $value_parts = array(); foreach ($table_copy_row as $_key => $_val) { if (isset($row_fields[$_key]) && $row_fields[$_key] == 'cc') { - $value_parts[] = PMA_sqlAddslashes($_val); + $value_parts[] = PMA_sqlAddSlashes($_val); } }

@@ -805,10 +805,10 @@ class PMA_Table // Move old entries from PMA-DBs to new table if ($GLOBALS['cfgRelation']['commwork']) { $remove_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['column_info']) - . ' SET table_name = '' . PMA_sqlAddslashes($target_table) . '', ' - . ' db_name = '' . PMA_sqlAddslashes($target_db) . ''' - . ' WHERE db_name = '' . PMA_sqlAddslashes($source_db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($source_table) . '''; + . ' SET table_name = '' . PMA_sqlAddSlashes($target_table) . '', ' + . ' db_name = '' . PMA_sqlAddSlashes($target_db) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($source_db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($source_table) . '''; PMA_query_as_controluser($remove_query); unset($remove_query); } @@ -818,28 +818,28 @@ class PMA_Table

if ($GLOBALS['cfgRelation']['displaywork']) { $table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['table_info']) - . ' SET db_name = '' . PMA_sqlAddslashes($target_db) . '', ' - . ' table_name = '' . PMA_sqlAddslashes($target_table) . ''' - . ' WHERE db_name = '' . PMA_sqlAddslashes($source_db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($source_table) . '''; + . ' SET db_name = '' . PMA_sqlAddSlashes($target_db) . '', ' + . ' table_name = '' . PMA_sqlAddSlashes($target_table) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($source_db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($source_table) . '''; PMA_query_as_controluser($table_query); unset($table_query); }

if ($GLOBALS['cfgRelation']['relwork']) { $table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['relation']) - . ' SET foreign_table = '' . PMA_sqlAddslashes($target_table) . '',' - . ' foreign_db = '' . PMA_sqlAddslashes($target_db) . ''' - . ' WHERE foreign_db = '' . PMA_sqlAddslashes($source_db) . ''' - . ' AND foreign_table = '' . PMA_sqlAddslashes($source_table) . '''; + . ' SET foreign_table = '' . PMA_sqlAddSlashes($target_table) . '',' + . ' foreign_db = '' . PMA_sqlAddSlashes($target_db) . ''' + . ' WHERE foreign_db = '' . PMA_sqlAddSlashes($source_db) . ''' + . ' AND foreign_table = '' . PMA_sqlAddSlashes($source_table) . '''; PMA_query_as_controluser($table_query); unset($table_query);

$table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['relation']) - . ' SET master_table = '' . PMA_sqlAddslashes($target_table) . '',' - . ' master_db = '' . PMA_sqlAddslashes($target_db) . ''' - . ' WHERE master_db = '' . PMA_sqlAddslashes($source_db) . ''' - . ' AND master_table = '' . PMA_sqlAddslashes($source_table) . '''; + . ' SET master_table = '' . PMA_sqlAddSlashes($target_table) . '',' + . ' master_db = '' . PMA_sqlAddSlashes($target_db) . ''' + . ' WHERE master_db = '' . PMA_sqlAddSlashes($source_db) . ''' + . ' AND master_table = '' . PMA_sqlAddSlashes($source_table) . '''; PMA_query_as_controluser($table_query); unset($table_query); } @@ -853,24 +853,24 @@ class PMA_Table

if ($GLOBALS['cfgRelation']['pdfwork']) { $table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['table_coords']) - . ' SET table_name = '' . PMA_sqlAddslashes($target_table) . '',' - . ' db_name = '' . PMA_sqlAddslashes($target_db) . ''' - . ' WHERE db_name = '' . PMA_sqlAddslashes($source_db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($source_table) . '''; + . ' SET table_name = '' . PMA_sqlAddSlashes($target_table) . '',' + . ' db_name = '' . PMA_sqlAddSlashes($target_db) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($source_db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($source_table) . '''; PMA_query_as_controluser($table_query); unset($table_query); /* $pdf_query = 'SELECT pdf_page_number ' . ' FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($target_db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($target_table) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($target_db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($target_table) . '''; $pdf_rs = PMA_query_as_controluser($pdf_query);

while ($pdf_copy_row = PMA_DBI_fetch_assoc($pdf_rs)) { $table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['pdf_pages']) - . ' SET db_name = '' . PMA_sqlAddslashes($target_db) . ''' - . ' WHERE db_name = '' . PMA_sqlAddslashes($source_db) . ''' - . ' AND page_nr = '' . PMA_sqlAddslashes($pdf_copy_row['pdf_page_number']) . '''; + . ' SET db_name = '' . PMA_sqlAddSlashes($target_db) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($source_db) . ''' + . ' AND page_nr = '' . PMA_sqlAddSlashes($pdf_copy_row['pdf_page_number']) . '''; $tb_rs = PMA_query_as_controluser($table_query); unset($table_query); unset($tb_rs); @@ -880,10 +880,10 @@ class PMA_Table

if ($GLOBALS['cfgRelation']['designerwork']) { $table_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']) - . ' SET table_name = '' . PMA_sqlAddslashes($target_table) . '',' - . ' db_name = '' . PMA_sqlAddslashes($target_db) . ''' - . ' WHERE db_name = '' . PMA_sqlAddslashes($source_db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($source_table) . '''; + . ' SET table_name = '' . PMA_sqlAddSlashes($target_table) . '',' + . ' db_name = '' . PMA_sqlAddSlashes($target_db) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($source_db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($source_table) . '''; PMA_query_as_controluser($table_query); unset($table_query); } @@ -900,8 +900,8 @@ class PMA_Table column_name, ' . PMA_backquote('comment') . ($GLOBALS['cfgRelation']['mimework'] ? ', mimetype, transformation, transformation_options' : '') . ' FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['column_info']) . ' WHERE - db_name = '' . PMA_sqlAddslashes($source_db) . '' AND - table_name = '' . PMA_sqlAddslashes($source_table) . '''; + db_name = '' . PMA_sqlAddSlashes($source_db) . '' AND + table_name = '' . PMA_sqlAddSlashes($source_table) . '''; $comments_copy_rs = PMA_query_as_controluser($comments_copy_query);

// Write every comment as new copied entry. [MIME] @@ -909,13 +909,13 @@ class PMA_Table $new_comment_query = 'REPLACE INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['column_info']) . ' (db_name, table_name, column_name, ' . PMA_backquote('comment') . ($GLOBALS['cfgRelation']['mimework'] ? ', mimetype, transformation, transformation_options' : '') . ') ' . ' VALUES(' - . ''' . PMA_sqlAddslashes($target_db) . '',' - . ''' . PMA_sqlAddslashes($target_table) . '',' - . ''' . PMA_sqlAddslashes($comments_copy_row['column_name']) . ''' - . ($GLOBALS['cfgRelation']['mimework'] ? ','' . PMA_sqlAddslashes($comments_copy_row['comment']) . '',' - . ''' . PMA_sqlAddslashes($comments_copy_row['mimetype']) . '',' - . ''' . PMA_sqlAddslashes($comments_copy_row['transformation']) . '',' - . ''' . PMA_sqlAddslashes($comments_copy_row['transformation_options']) . ''' : '') + . ''' . PMA_sqlAddSlashes($target_db) . '',' + . ''' . PMA_sqlAddSlashes($target_table) . '',' + . ''' . PMA_sqlAddSlashes($comments_copy_row['column_name']) . ''' + . ($GLOBALS['cfgRelation']['mimework'] ? ','' . PMA_sqlAddSlashes($comments_copy_row['comment']) . '',' + . ''' . PMA_sqlAddSlashes($comments_copy_row['mimetype']) . '',' + . ''' . PMA_sqlAddSlashes($comments_copy_row['transformation']) . '',' + . ''' . PMA_sqlAddSlashes($comments_copy_row['transformation_options']) . ''' : '') . ')'; PMA_query_as_controluser($new_comment_query); } // end while @@ -1065,10 +1065,10 @@ class PMA_Table $remove_query = ' UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['column_info']) . ' - SET `db_name` = '' . PMA_sqlAddslashes($new_db) . '', - `table_name` = '' . PMA_sqlAddslashes($new_name) . '' - WHERE `db_name` = '' . PMA_sqlAddslashes($old_db) . '' - AND `table_name` = '' . PMA_sqlAddslashes($old_name) . '''; + SET `db_name` = '' . PMA_sqlAddSlashes($new_db) . '', + `table_name` = '' . PMA_sqlAddSlashes($new_name) . '' + WHERE `db_name` = '' . PMA_sqlAddSlashes($old_db) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($old_name) . '''; PMA_query_as_controluser($remove_query); unset($remove_query); } @@ -1077,10 +1077,10 @@ class PMA_Table $table_query = ' UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['table_info']) . ' - SET `db_name` = '' . PMA_sqlAddslashes($new_db) . '', - `table_name` = '' . PMA_sqlAddslashes($new_name) . '' - WHERE `db_name` = '' . PMA_sqlAddslashes($old_db) . '' - AND `table_name` = '' . PMA_sqlAddslashes($old_name) . '''; + SET `db_name` = '' . PMA_sqlAddSlashes($new_db) . '', + `table_name` = '' . PMA_sqlAddSlashes($new_name) . '' + WHERE `db_name` = '' . PMA_sqlAddSlashes($old_db) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($old_name) . '''; PMA_query_as_controluser($table_query); unset($table_query); } @@ -1089,19 +1089,19 @@ class PMA_Table $table_query = ' UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['relation']) . ' - SET `foreign_db` = '' . PMA_sqlAddslashes($new_db) . '', - `foreign_table` = '' . PMA_sqlAddslashes($new_name) . '' - WHERE `foreign_db` = '' . PMA_sqlAddslashes($old_db) . '' - AND `foreign_table` = '' . PMA_sqlAddslashes($old_name) . '''; + SET `foreign_db` = '' . PMA_sqlAddSlashes($new_db) . '', + `foreign_table` = '' . PMA_sqlAddSlashes($new_name) . '' + WHERE `foreign_db` = '' . PMA_sqlAddSlashes($old_db) . '' + AND `foreign_table` = '' . PMA_sqlAddSlashes($old_name) . '''; PMA_query_as_controluser($table_query);

$table_query = ' UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['relation']) . ' - SET `master_db` = '' . PMA_sqlAddslashes($new_db) . '', - `master_table` = '' . PMA_sqlAddslashes($new_name) . '' - WHERE `master_db` = '' . PMA_sqlAddslashes($old_db) . '' - AND `master_table` = '' . PMA_sqlAddslashes($old_name) . '''; + SET `master_db` = '' . PMA_sqlAddSlashes($new_db) . '', + `master_table` = '' . PMA_sqlAddSlashes($new_name) . '' + WHERE `master_db` = '' . PMA_sqlAddSlashes($old_db) . '' + AND `master_table` = '' . PMA_sqlAddSlashes($old_name) . '''; PMA_query_as_controluser($table_query); unset($table_query); } @@ -1110,10 +1110,10 @@ class PMA_Table $table_query = ' UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['table_coords']) . ' - SET `db_name` = '' . PMA_sqlAddslashes($new_db) . '', - `table_name` = '' . PMA_sqlAddslashes($new_name) . '' - WHERE `db_name` = '' . PMA_sqlAddslashes($old_db) . '' - AND `table_name` = '' . PMA_sqlAddslashes($old_name) . '''; + SET `db_name` = '' . PMA_sqlAddSlashes($new_db) . '', + `table_name` = '' . PMA_sqlAddSlashes($new_name) . '' + WHERE `db_name` = '' . PMA_sqlAddSlashes($old_db) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($old_name) . '''; PMA_query_as_controluser($table_query); unset($table_query); } @@ -1122,10 +1122,10 @@ class PMA_Table $table_query = ' UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']) . ' - SET `db_name` = '' . PMA_sqlAddslashes($new_db) . '', - `table_name` = '' . PMA_sqlAddslashes($new_name) . '' - WHERE `db_name` = '' . PMA_sqlAddslashes($old_db) . '' - AND `table_name` = '' . PMA_sqlAddslashes($old_name) . '''; + SET `db_name` = '' . PMA_sqlAddSlashes($new_db) . '', + `table_name` = '' . PMA_sqlAddSlashes($new_name) . '' + WHERE `db_name` = '' . PMA_sqlAddSlashes($old_db) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($old_name) . '''; PMA_query_as_controluser($table_query); unset($table_query); } @@ -1252,7 +1252,7 @@ class PMA_Table $sql_query = " REPLACE INTO " . $pma_table . " VALUES ('" . $username . "', '" . $this->db_name . "', '" . - $this->name . "', '" . PMA_sqlAddslashes(json_encode($this->uiprefs)) . "')"; + $this->name . "', '" . PMA_sqlAddSlashes(json_encode($this->uiprefs)) . "')";

$success = PMA_DBI_try_query($sql_query, $GLOBALS['controllink']);

diff --git a/libraries/Tracker.class.php b/libraries/Tracker.class.php index 35ab7f4..da9a56a 100644 --- a/libraries/Tracker.class.php +++ b/libraries/Tracker.class.php @@ -219,8 +219,8 @@ class PMA_Tracker

$sql_query = " SELECT tracking_active FROM " . self::$pma_table . - " WHERE " . PMA_backquote('db_name') . " = '" . PMA_sqlAddslashes($dbname) . "' " . - " AND " . PMA_backquote('table_name') . " = '" . PMA_sqlAddslashes($tablename) . "' " . + " WHERE " . PMA_backquote('db_name') . " = '" . PMA_sqlAddSlashes($dbname) . "' " . + " AND " . PMA_backquote('table_name') . " = '" . PMA_sqlAddSlashes($tablename) . "' " . " ORDER BY version DESC";

$row = PMA_DBI_fetch_array(PMA_query_as_controluser($sql_query)); @@ -331,15 +331,15 @@ class PMA_Tracker "tracking " . ") " . "values ( - '" . PMA_sqlAddslashes($dbname) . "', - '" . PMA_sqlAddslashes($tablename) . "', - '" . PMA_sqlAddslashes($version) . "', - '" . PMA_sqlAddslashes($date) . "', - '" . PMA_sqlAddslashes($date) . "', - '" . PMA_sqlAddslashes($snapshot) . "', - '" . PMA_sqlAddslashes($create_sql) . "', - '" . PMA_sqlAddslashes("\n") . "', - '" . PMA_sqlAddslashes($tracking_set) . "' )"; + '" . PMA_sqlAddSlashes($dbname) . "', + '" . PMA_sqlAddSlashes($tablename) . "', + '" . PMA_sqlAddSlashes($version) . "', + '" . PMA_sqlAddSlashes($date) . "', + '" . PMA_sqlAddSlashes($date) . "', + '" . PMA_sqlAddSlashes($snapshot) . "', + '" . PMA_sqlAddSlashes($create_sql) . "', + '" . PMA_sqlAddSlashes("\n") . "', + '" . PMA_sqlAddSlashes($tracking_set) . "' )";

$result = PMA_query_as_controluser($sql_query);

@@ -366,7 +366,7 @@ class PMA_Tracker { $sql_query = "/*NOTRACK*/\n" . - "DELETE FROM " . self::$pma_table . " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' AND `table_name` = '" . PMA_sqlAddslashes($tablename) . "'"; + "DELETE FROM " . self::$pma_table . " WHERE `db_name` = '" . PMA_sqlAddSlashes($dbname) . "' AND `table_name` = '" . PMA_sqlAddSlashes($tablename) . "'"; $result = PMA_query_as_controluser($sql_query);

return $result; @@ -421,15 +421,15 @@ class PMA_Tracker "tracking " . ") " . "values ( - '" . PMA_sqlAddslashes($dbname) . "', - '" . PMA_sqlAddslashes('') . "', - '" . PMA_sqlAddslashes($version) . "', - '" . PMA_sqlAddslashes($date) . "', - '" . PMA_sqlAddslashes($date) . "', - '" . PMA_sqlAddslashes('') . "', - '" . PMA_sqlAddslashes($create_sql) . "', - '" . PMA_sqlAddslashes("\n") . "', - '" . PMA_sqlAddslashes($tracking_set) . "' )"; + '" . PMA_sqlAddSlashes($dbname) . "', + '" . PMA_sqlAddSlashes('') . "', + '" . PMA_sqlAddSlashes($version) . "', + '" . PMA_sqlAddSlashes($date) . "', + '" . PMA_sqlAddSlashes($date) . "', + '" . PMA_sqlAddSlashes('') . "', + '" . PMA_sqlAddSlashes($create_sql) . "', + '" . PMA_sqlAddSlashes("\n") . "', + '" . PMA_sqlAddSlashes($tracking_set) . "' )";

$result = PMA_query_as_controluser($sql_query);

@@ -455,9 +455,9 @@ class PMA_Tracker $sql_query = " UPDATE " . self::$pma_table . " SET `tracking_active` = '" . $new_state . "' " . - " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' " . - " AND `table_name` = '" . PMA_sqlAddslashes($tablename) . "' " . - " AND `version` = '" . PMA_sqlAddslashes($version) . "' "; + " WHERE `db_name` = '" . PMA_sqlAddSlashes($dbname) . "' " . + " AND `table_name` = '" . PMA_sqlAddSlashes($tablename) . "' " . + " AND `version` = '" . PMA_sqlAddSlashes($version) . "' ";

$result = PMA_query_as_controluser($sql_query);

@@ -491,7 +491,7 @@ class PMA_Tracker $new_data_processed = ''; if (is_array($new_data)) { foreach ($new_data as $data) { - $new_data_processed .= '# log ' . $date . ' ' . $data['username'] . PMA_sqlAddslashes($data['statement']) . "\n"; + $new_data_processed .= '# log ' . $date . ' ' . $data['username'] . PMA_sqlAddSlashes($data['statement']) . "\n"; } } else { $new_data_processed = $new_data; @@ -500,9 +500,9 @@ class PMA_Tracker $sql_query = " UPDATE " . self::$pma_table . " SET `" . $save_to . "` = '" . $new_data_processed . "' " . - " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' " . - " AND `table_name` = '" . PMA_sqlAddslashes($tablename) . "' " . - " AND `version` = '" . PMA_sqlAddslashes($version) . "' "; + " WHERE `db_name` = '" . PMA_sqlAddSlashes($dbname) . "' " . + " AND `table_name` = '" . PMA_sqlAddSlashes($tablename) . "' " . + " AND `version` = '" . PMA_sqlAddSlashes($version) . "' ";

$result = PMA_query_as_controluser($sql_query);

@@ -559,8 +559,8 @@ class PMA_Tracker { $sql_query = " SELECT MAX(version) FROM " . self::$pma_table . - " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' " . - " AND `table_name` = '" . PMA_sqlAddslashes($tablename) . "' "; + " WHERE `db_name` = '" . PMA_sqlAddSlashes($dbname) . "' " . + " AND `table_name` = '" . PMA_sqlAddSlashes($tablename) . "' ";

if ($statement != "") { $sql_query .= " AND FIND_IN_SET('" . $statement . "',tracking) > 0" ; @@ -593,11 +593,11 @@ class PMA_Tracker self::init(); } $sql_query = " SELECT * FROM " . self::$pma_table . - " WHERE `db_name` = '" . PMA_sqlAddslashes($dbname) . "' "; + " WHERE `db_name` = '" . PMA_sqlAddSlashes($dbname) . "' "; if (! empty($tablename)) { - $sql_query .= " AND `table_name` = '" . PMA_sqlAddslashes($tablename) ."' "; + $sql_query .= " AND `table_name` = '" . PMA_sqlAddSlashes($tablename) ."' "; } - $sql_query .= " AND `version` = '" . PMA_sqlAddslashes($version) ."' ". + $sql_query .= " AND `version` = '" . PMA_sqlAddSlashes($version) ."' ". " ORDER BY `version` DESC ";

$mixed = PMA_DBI_fetch_array(PMA_query_as_controluser($sql_query)); @@ -959,12 +959,12 @@ class PMA_Tracker $sql_query = " /*NOTRACK*/\n" . " UPDATE " . self::$pma_table . - " SET " . PMA_backquote($save_to) ." = CONCAT( " . PMA_backquote($save_to) . ",'\n" . PMA_sqlAddslashes($query) . "') ," . + " SET " . PMA_backquote($save_to) ." = CONCAT( " . PMA_backquote($save_to) . ",'\n" . PMA_sqlAddSlashes($query) . "') ," . " `date_updated` = '" . $date . "' ";

// If table was renamed we have to change the tablename attribute in pma_tracking too if ($result['identifier'] == 'RENAME TABLE') { - $sql_query .= ', `table_name` = '' . PMA_sqlAddslashes($result['tablename_after_rename']) . '' '; + $sql_query .= ', `table_name` = '' . PMA_sqlAddSlashes($result['tablename_after_rename']) . '' '; }

// Save the tracking information only for @@ -974,9 +974,9 @@ class PMA_Tracker // we want to track $sql_query .= " WHERE FIND_IN_SET('" . $result['identifier'] . "',tracking) > 0" . - " AND `db_name` = '" . PMA_sqlAddslashes($dbname) . "' " . - " AND `table_name` = '" . PMA_sqlAddslashes($result['tablename']) . "' " . - " AND `version` = '" . PMA_sqlAddslashes($version) . "' "; + " AND `db_name` = '" . PMA_sqlAddSlashes($dbname) . "' " . + " AND `table_name` = '" . PMA_sqlAddSlashes($result['tablename']) . "' " . + " AND `version` = '" . PMA_sqlAddSlashes($version) . "' ";

$result = PMA_query_as_controluser($sql_query); } diff --git a/libraries/blobstreaming.lib.php b/libraries/blobstreaming.lib.php index c7250dc..d9893dd 100644 --- a/libraries/blobstreaming.lib.php +++ b/libraries/blobstreaming.lib.php @@ -387,7 +387,7 @@ function PMA_BS_IsTablePBMSEnabled($db_name, $tbl_name, $tbl_type)

// This information should be cached rather than selecting it each time. //$query = "SELECT count(*) FROM information_schema.TABLES T, pbms.pbms_enabled E where T.table_schema = ". PMA_backquote($db_name) . " and T.table_name = ". PMA_backquote($tbl_name) . " and T.engine = E.name"; - $query = "SELECT count(*) FROM pbms.pbms_enabled E where E.name = '" . PMA_sqlAddslashes($tbl_type) . "'"; + $query = "SELECT count(*) FROM pbms.pbms_enabled E where E.name = '" . PMA_sqlAddSlashes($tbl_type) . "'"; $result = PMA_DBI_query($query);

$data = PMA_DBI_fetch_row($result); @@ -439,7 +439,7 @@ function PMA_BS_SetContentType($db_name, $bsTable, $blobReference, $contentType) // This is a really ugly way to do this but currently there is nothing better. // In a future version of PBMS the system tables will be redesigned to make this // more efficient. - $query = "SELECT Repository_id, Repo_blob_offset FROM pbms_reference WHERE Blob_url='" . PMA_sqlAddslashes($blobReference) . "'"; + $query = "SELECT Repository_id, Repo_blob_offset FROM pbms_reference WHERE Blob_url='" . PMA_sqlAddSlashes($blobReference) . "'"; //error_log(" PMA_BS_SetContentType: $query\n", 3, "/tmp/mylog"); $result = PMA_DBI_query($query); //error_log(" $query\n", 3, "/tmp/mylog"); @@ -451,9 +451,9 @@ function PMA_BS_SetContentType($db_name, $bsTable, $blobReference, $contentType) $result = PMA_DBI_query($query);

if (PMA_DBI_num_rows($result) == 0) { - $query = "INSERT into pbms_metadata Values( ". $data['Repository_id'] . ", " . $data['Repo_blob_offset'] . ", 'Content_type', '" . PMA_sqlAddslashes($contentType) . "')"; + $query = "INSERT into pbms_metadata Values( ". $data['Repository_id'] . ", " . $data['Repo_blob_offset'] . ", 'Content_type', '" . PMA_sqlAddSlashes($contentType) . "')"; } else { - $query = "UPDATE pbms_metadata SET name = 'Content_type', Value = '" . PMA_sqlAddslashes($contentType) . "' $where"; + $query = "UPDATE pbms_metadata SET name = 'Content_type', Value = '" . PMA_sqlAddSlashes($contentType) . "' $where"; } //error_log("$query\n", 3, "/tmp/mylog"); PMA_DBI_query($query); diff --git a/libraries/bookmark.lib.php b/libraries/bookmark.lib.php index 5492cbf..9ff7d1b 100644 --- a/libraries/bookmark.lib.php +++ b/libraries/bookmark.lib.php @@ -58,13 +58,13 @@ function PMA_Bookmark_getList($db) }

$query = 'SELECT label, id FROM '. PMA_backquote($cfgBookmark['db']) . '.' . PMA_backquote($cfgBookmark['table']) - . ' WHERE dbase = '' . PMA_sqlAddslashes($db) . ''' - . ' AND user = '' . PMA_sqlAddslashes($cfgBookmark['user']) . ''' + . ' WHERE dbase = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND user = '' . PMA_sqlAddSlashes($cfgBookmark['user']) . ''' . ' ORDER BY label'; $per_user = PMA_DBI_fetch_result($query, 'id', 'label', $controllink, PMA_DBI_QUERY_STORE);

$query = 'SELECT label, id FROM '. PMA_backquote($cfgBookmark['db']) . '.' . PMA_backquote($cfgBookmark['table']) - . ' WHERE dbase = '' . PMA_sqlAddslashes($db) . ''' + . ' WHERE dbase = '' . PMA_sqlAddSlashes($db) . ''' . ' AND user = ''' . ' ORDER BY label'; $global = PMA_DBI_fetch_result($query, 'id', 'label', $controllink, PMA_DBI_QUERY_STORE); @@ -107,10 +107,10 @@ function PMA_Bookmark_get($db, $id, $id_field = 'id', $action_bookmark_all = fal }

$query = 'SELECT query FROM ' . PMA_backquote($cfgBookmark['db']) . '.' . PMA_backquote($cfgBookmark['table']) - . ' WHERE dbase = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE dbase = '' . PMA_sqlAddSlashes($db) . ''';

if (!$action_bookmark_all) { - $query .= ' AND (user = '' . PMA_sqlAddslashes($cfgBookmark['user']) . '''; + $query .= ' AND (user = '' . PMA_sqlAddSlashes($cfgBookmark['user']) . '''; if (!$exact_user_match) { $query .= ' OR user = '''; } @@ -146,7 +146,7 @@ function PMA_Bookmark_save($fields, $all_users = false) }

$query = 'INSERT INTO ' . PMA_backquote($cfgBookmark['db']) . '.' . PMA_backquote($cfgBookmark['table']) - . ' (id, dbase, user, query, label) VALUES (NULL, '' . PMA_sqlAddslashes($fields['dbase']) . '', '' . ($all_users ? '' : PMA_sqlAddslashes($fields['user'])) . '', '' . PMA_sqlAddslashes(urldecode($fields['query'])) . '', '' . PMA_sqlAddslashes($fields['label']) . '')'; + . ' (id, dbase, user, query, label) VALUES (NULL, '' . PMA_sqlAddSlashes($fields['dbase']) . '', '' . ($all_users ? '' : PMA_sqlAddSlashes($fields['user'])) . '', '' . PMA_sqlAddSlashes(urldecode($fields['query'])) . '', '' . PMA_sqlAddSlashes($fields['label']) . '')'; return PMA_DBI_query($query, $controllink); } // end of the 'PMA_Bookmark_save()' function

@@ -172,7 +172,7 @@ function PMA_Bookmark_delete($db, $id) }

$query = 'DELETE FROM ' . PMA_backquote($cfgBookmark['db']) . '.' . PMA_backquote($cfgBookmark['table']) - . ' WHERE (user = '' . PMA_sqlAddslashes($cfgBookmark['user']) . ''' + . ' WHERE (user = '' . PMA_sqlAddSlashes($cfgBookmark['user']) . ''' . ' OR user = '')' . ' AND id = ' . $id; return PMA_DBI_try_query($query, $controllink); diff --git a/libraries/common.lib.php b/libraries/common.lib.php index 7dcbea0..61f3102 100644 --- a/libraries/common.lib.php +++ b/libraries/common.lib.php @@ -161,7 +161,7 @@ function PMA_displayMaximumUploadSize($max_upload_size) * * @access public */ -function PMA_sqlAddslashes($a_string = '', $is_like = false, $crlf = false, $php_code = false) +function PMA_sqlAddSlashes($a_string = '', $is_like = false, $crlf = false, $php_code = false) { if ($is_like) { $a_string = str_replace('\', '\\\\', $a_string); @@ -182,7 +182,7 @@ function PMA_sqlAddslashes($a_string = '', $is_like = false, $crlf = false, $php }

return $a_string; -} // end of the 'PMA_sqlAddslashes()' function +} // end of the 'PMA_sqlAddSlashes()' function

/** @@ -1996,7 +1996,7 @@ function PMA_getUniqueCondition($handle, $fields_cnt, $fields_meta, $row, $force $condition .= "= b'" . PMA_printable_bit_value($row[$i], $meta->length) . "' AND"; } else { $condition .= '= '' - . PMA_sqlAddslashes($row[$i], false, true) . '' AND'; + . PMA_sqlAddSlashes($row[$i], false, true) . '' AND'; } } if ($meta->primary_key > 0) { @@ -3082,7 +3082,7 @@ function PMA_currentUserHasPrivilege($priv, $db = null, $tbl = null) 'SCHEMA_PRIVILEGES', $username, $priv, - PMA_sqlAddslashes($db)))) { + PMA_sqlAddSlashes($db)))) { return true; } } else { @@ -3098,8 +3098,8 @@ function PMA_currentUserHasPrivilege($priv, $db = null, $tbl = null) 'TABLE_PRIVILEGES', $username, $priv, - PMA_sqlAddslashes($db), - PMA_sqlAddslashes($tbl)))) { + PMA_sqlAddSlashes($db), + PMA_sqlAddSlashes($tbl)))) { return true; } } diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php index d9f19f3..50ae58b 100644 --- a/libraries/database_interface.lib.php +++ b/libraries/database_interface.lib.php @@ -323,7 +323,7 @@ function PMA_DBI_get_tables_full($database, $table = false, $tbl_is_group = fals // added BINARY in the WHERE clause to force a case sensitive // comparison (if we are looking for the db Aa we don't want // to find the db aa) - $this_databases = array_map('PMA_sqlAddslashes', $databases); + $this_databases = array_map('PMA_sqlAddSlashes', $databases);

$sql = ' SELECT *, @@ -992,7 +992,7 @@ function PMA_DBI_postConnect($link, $is_controluser = false) if (!PMA_DRIZZLE) { if (! empty($GLOBALS['collation_connection'])) { PMA_DBI_query("SET CHARACTER SET 'utf8';", $link, PMA_DBI_QUERY_STORE); - PMA_DBI_query("SET collation_connection = '" . PMA_sqlAddslashes($GLOBALS['collation_connection']) . "';", $link, PMA_DBI_QUERY_STORE); + PMA_DBI_query("SET collation_connection = '" . PMA_sqlAddSlashes($GLOBALS['collation_connection']) . "';", $link, PMA_DBI_QUERY_STORE); } else { PMA_DBI_query("SET NAMES 'utf8' COLLATE 'utf8_general_ci';", $link, PMA_DBI_QUERY_STORE); } @@ -1373,14 +1373,14 @@ function PMA_DBI_get_triggers($db, $table = '', $delimiter = '//') // Note: in http://dev.mysql.com/doc/refman/5.0/en/faqs-triggers.html // their example uses WHERE TRIGGER_SCHEMA='dbname' so let's use this // instead of WHERE EVENT_OBJECT_SCHEMA='dbname' - $query = "SELECT TRIGGER_SCHEMA, TRIGGER_NAME, EVENT_MANIPULATION, EVENT_OBJECT_TABLE, ACTION_TIMING, ACTION_STATEMENT, EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS WHERE TRIGGER_SCHEMA= '" . PMA_sqlAddslashes($db,true) . "';"; + $query = "SELECT TRIGGER_SCHEMA, TRIGGER_NAME, EVENT_MANIPULATION, EVENT_OBJECT_TABLE, ACTION_TIMING, ACTION_STATEMENT, EVENT_OBJECT_SCHEMA, EVENT_OBJECT_TABLE FROM information_schema.TRIGGERS WHERE TRIGGER_SCHEMA= '" . PMA_sqlAddSlashes($db,true) . "';"; if (! empty($table)) { - $query .= " AND EVENT_OBJECT_TABLE = '" . PMA_sqlAddslashes($table, true) . "';"; + $query .= " AND EVENT_OBJECT_TABLE = '" . PMA_sqlAddSlashes($table, true) . "';"; } } else { - $query = "SHOW TRIGGERS FROM " . PMA_backquote(PMA_sqlAddslashes($db,true)); + $query = "SHOW TRIGGERS FROM " . PMA_backquote(PMA_sqlAddSlashes($db,true)); if (! empty($table)) { - $query .= " LIKE '" . PMA_sqlAddslashes($table, true) . "';"; + $query .= " LIKE '" . PMA_sqlAddSlashes($table, true) . "';"; } }

@@ -1424,8 +1424,8 @@ function PMA_isView($db, $view_name) $result = PMA_DBI_fetch_result( "SELECT TABLE_NAME FROM information_schema.VIEWS - WHERE TABLE_SCHEMA = '" . PMA_sqlAddslashes($db) . "' - AND TABLE_NAME = '" . PMA_sqlAddslashes($view_name) . "'"); + WHERE TABLE_SCHEMA = '" . PMA_sqlAddSlashes($db) . "' + AND TABLE_NAME = '" . PMA_sqlAddSlashes($view_name) . "'");

if ($result) { return true; diff --git a/libraries/db_events.inc.php b/libraries/db_events.inc.php index 4aa68a8..adf265e 100644 --- a/libraries/db_events.inc.php +++ b/libraries/db_events.inc.php @@ -8,7 +8,7 @@ if (! defined('PHPMYADMIN')) { exit; }

-$events = PMA_DBI_fetch_result('SELECT EVENT_NAME, EVENT_TYPE FROM information_schema.EVENTS WHERE EVENT_SCHEMA= '' . PMA_sqlAddslashes($db,true) . '';'); +$events = PMA_DBI_fetch_result('SELECT EVENT_NAME, EVENT_TYPE FROM information_schema.EVENTS WHERE EVENT_SCHEMA= '' . PMA_sqlAddSlashes($db,true) . '';');

$conditional_class_add = ''; $conditional_class_drop = ''; diff --git a/libraries/db_info.inc.php b/libraries/db_info.inc.php index 9d6dcf6..eebad23 100644 --- a/libraries/db_info.inc.php +++ b/libraries/db_info.inc.php @@ -130,7 +130,7 @@ if (true === $cfg['SkipLockedTables']) { if (! isset($sot_cache[$tmp[0]])) { $sts_result = PMA_DBI_query( 'SHOW TABLE STATUS FROM ' . PMA_backquote($db) - . ' LIKE '' . PMA_sqlAddSlashes($tmp[0]) . '';'); + . ' LIKE '' . PMA_sqlAddSlashes($tmp[0], true) . '';'); $sts_tmp = PMA_DBI_fetch_assoc($sts_result); PMA_DBI_free_result($sts_result); unset($sts_result); diff --git a/libraries/db_routines.lib.php b/libraries/db_routines.lib.php index dde8b79..7591d39 100644 --- a/libraries/db_routines.lib.php +++ b/libraries/db_routines.lib.php @@ -186,8 +186,8 @@ function PMA_RTN_getRoutineDataFromName($db, $name, $all = true) $fields = "SPECIFIC_NAME, ROUTINE_TYPE, DTD_IDENTIFIER, " . "ROUTINE_DEFINITION, IS_DETERMINISTIC, SQL_DATA_ACCESS, " . "ROUTINE_COMMENT, SECURITY_TYPE"; - $where = "ROUTINE_SCHEMA='" . PMA_sqlAddslashes($db) . "' " - . "AND SPECIFIC_NAME='" . PMA_sqlAddslashes($name) . "'"; + $where = "ROUTINE_SCHEMA='" . PMA_sqlAddSlashes($db) . "' " + . "AND SPECIFIC_NAME='" . PMA_sqlAddSlashes($name) . "'"; $query = "SELECT $fields FROM INFORMATION_SCHEMA.ROUTINES WHERE $where;";

$routine = PMA_DBI_fetch_single_row($query); @@ -1127,7 +1127,7 @@ function PMA_RTN_getRoutinesList() * Get the routines */ $columns = "`SPECIFIC_NAME`, `ROUTINE_NAME`, `ROUTINE_TYPE`, `DTD_IDENTIFIER`, `ROUTINE_DEFINITION`"; - $where = "ROUTINE_SCHEMA='" . PMA_sqlAddslashes($db) . "'"; + $where = "ROUTINE_SCHEMA='" . PMA_sqlAddSlashes($db) . "'"; $routines = PMA_DBI_fetch_result("SELECT $columns FROM `INFORMATION_SCHEMA`.`ROUTINES` WHERE $where;"); /** * Conditional classes switch the list on or off diff --git a/libraries/db_table_exists.lib.php b/libraries/db_table_exists.lib.php index 8eb93e4..97b7ec8 100644 --- a/libraries/db_table_exists.lib.php +++ b/libraries/db_table_exists.lib.php @@ -46,7 +46,7 @@ if (empty($is_table) && !defined('PMA_SUBMIT_MULT') && ! defined('TABLE_MAY_BE_A

if (! $is_table) { $_result = PMA_DBI_try_query( - 'SHOW TABLES LIKE '' . PMA_sqlAddslashes($table, true) . '';', + 'SHOW TABLES LIKE '' . PMA_sqlAddSlashes($table, true) . '';', null, PMA_DBI_QUERY_STORE); $is_table = @PMA_DBI_num_rows($_result); PMA_DBI_free_result($_result); diff --git a/libraries/display_tbl.lib.php b/libraries/display_tbl.lib.php index 0b63a1e..8fd73de 100644 --- a/libraries/display_tbl.lib.php +++ b/libraries/display_tbl.lib.php @@ -1587,7 +1587,7 @@ function PMA_displayTableBody(&$dt_result, &$is_display, $map, $analyzed_sql) {

// do not wrap if date field type $nowrap = ((preg_match('@DATE|TIME@i', $meta->type) || $bool_nowrap) ? ' nowrap' : ''); - $where_comparison = ' = '' . PMA_sqlAddslashes($row[$i]) . '''; + $where_comparison = ' = '' . PMA_sqlAddSlashes($row[$i]) . '''; $vertical_display['data'][$row_no][$i] = '<td ' . PMA_prepare_row_data($class, $condition_field, $analyzed_sql, $meta, $map, $row[$i], $transform_function, $default_function, $nowrap, $where_comparison, $transform_options, $is_field_truncated);

} else { diff --git a/libraries/export/sql.php b/libraries/export/sql.php index ed61a07..3b0d968 100644 --- a/libraries/export/sql.php +++ b/libraries/export/sql.php @@ -595,7 +595,7 @@ function PMA_exportDBFooter($db) $delimiter = '$$';

if (PMA_MYSQL_INT_VERSION > 50100) { - $event_names = PMA_DBI_fetch_result('SELECT EVENT_NAME FROM information_schema.EVENTS WHERE EVENT_SCHEMA= '' . PMA_sqlAddslashes($db,true) . '';'); + $event_names = PMA_DBI_fetch_result('SELECT EVENT_NAME FROM information_schema.EVENTS WHERE EVENT_SCHEMA= '' . PMA_sqlAddSlashes($db,true) . '';'); } else { $event_names = array(); } @@ -690,7 +690,7 @@ function PMA_getTableDef($db, $table, $crlf, $error_url, $show_dates = false, $a $new_crlf = $crlf;

// need to use PMA_DBI_QUERY_STORE with PMA_DBI_num_rows() in mysqli - $result = PMA_DBI_query('SHOW TABLE STATUS FROM ' . PMA_backquote($db) . ' LIKE '' . PMA_sqlAddslashes($table) . ''', null, PMA_DBI_QUERY_STORE); + $result = PMA_DBI_query('SHOW TABLE STATUS FROM ' . PMA_backquote($db) . ' LIKE '' . PMA_sqlAddSlashes($table, true) . ''', null, PMA_DBI_QUERY_STORE); if ($result != false) { if (PMA_DBI_num_rows($result) > 0) { $tmpres = PMA_DBI_fetch_assoc($result); @@ -1184,10 +1184,10 @@ function PMA_exportData($db, $table, $crlf, $error_url, $sql_query) } // detection of 'bit' works only on mysqli extension } elseif ($fields_meta[$j]->type == 'bit') { - $values[] = "b'" . PMA_sqlAddslashes(PMA_printable_bit_value($row[$j], $fields_meta[$j]->length)) . "'"; + $values[] = "b'" . PMA_sqlAddSlashes(PMA_printable_bit_value($row[$j], $fields_meta[$j]->length)) . "'"; // something else -> treat as a string } else { - $values[] = ''' . str_replace($search, $replace, PMA_sqlAddslashes($row[$j])) . '''; + $values[] = ''' . str_replace($search, $replace, PMA_sqlAddSlashes($row[$j])) . '''; } // end if } // end for

diff --git a/libraries/import.lib.php b/libraries/import.lib.php index 75e65a0..e2cbdd2 100644 --- a/libraries/import.lib.php +++ b/libraries/import.lib.php @@ -987,7 +987,7 @@ function PMA_buildSQL($db_name, &$tables, &$analyses = NULL, &$additional_sql = }

$tempSQLStr .= (($is_varchar) ? "'" : ""); - $tempSQLStr .= PMA_sqlAddslashes((string)$tables[$i][ROWS][$j][$k]); + $tempSQLStr .= PMA_sqlAddSlashes((string)$tables[$i][ROWS][$j][$k]); $tempSQLStr .= (($is_varchar) ? "'" : "");

if ($k != ($num_cols - 1)) { diff --git a/libraries/import/docsql.php b/libraries/import/docsql.php index 3ac799f..4ba089a 100644 --- a/libraries/import/docsql.php +++ b/libraries/import/docsql.php @@ -68,10 +68,10 @@ if ($data === true && !$error && !$timeout_passed) { ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) . ' (db_name, table_name, column_name, ' . PMA_backquote('comment') . ') VALUES ( - '' . PMA_sqlAddslashes($GLOBALS['db']) . '', - '' . PMA_sqlAddslashes(trim($tab)) . '', - '' . PMA_sqlAddslashes(trim($inf[0])) . '', - '' . PMA_sqlAddslashes(trim($inf[1])) . '')'; + '' . PMA_sqlAddSlashes($GLOBALS['db']) . '', + '' . PMA_sqlAddSlashes(trim($tab)) . '', + '' . PMA_sqlAddSlashes(trim($inf[0])) . '', + '' . PMA_sqlAddSlashes(trim($inf[1])) . '')'; PMA_importRunQuery($qry, $qry . '-- ' . htmlspecialchars($tab) . '.' . htmlspecialchars($inf[0]), true); } // end inf[1] exists if (!empty($inf[2]) && strlen(trim($inf[2])) > 0) { @@ -81,12 +81,12 @@ if ($data === true && !$error && !$timeout_passed) { ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) . ' (master_db, master_table, master_field, foreign_db, foreign_table, foreign_field) VALUES ( - '' . PMA_sqlAddslashes($GLOBALS['db']) . '', - '' . PMA_sqlAddslashes(trim($tab)) . '', - '' . PMA_sqlAddslashes(trim($inf[0])) . '', - '' . PMA_sqlAddslashes($GLOBALS['db']) . '', - '' . PMA_sqlAddslashes(trim($for[0])) . '', - '' . PMA_sqlAddslashes(trim($for[1])) . '')'; + '' . PMA_sqlAddSlashes($GLOBALS['db']) . '', + '' . PMA_sqlAddSlashes(trim($tab)) . '', + '' . PMA_sqlAddSlashes(trim($inf[0])) . '', + '' . PMA_sqlAddSlashes($GLOBALS['db']) . '', + '' . PMA_sqlAddSlashes(trim($for[0])) . '', + '' . PMA_sqlAddSlashes(trim($for[1])) . '')'; PMA_importRunQuery($qry, $qry . '-- ' . htmlspecialchars($tab) . '.' . htmlspecialchars($inf[0]) . '(' . htmlspecialchars($inf[2]) . ')', true); } // end inf[2] exists } // End lines loop diff --git a/libraries/import/ldi.php b/libraries/import/ldi.php index 56dabf9..fe5264c 100644 --- a/libraries/import/ldi.php +++ b/libraries/import/ldi.php @@ -63,7 +63,7 @@ $sql = 'LOAD DATA'; if (isset($ldi_local_option)) { $sql .= ' LOCAL'; } -$sql .= ' INFILE '' . PMA_sqlAddslashes($import_file) . '''; +$sql .= ' INFILE '' . PMA_sqlAddSlashes($import_file) . '''; if (isset($ldi_replace)) { $sql .= ' REPLACE'; } elseif (isset($ldi_ignore)) { @@ -75,10 +75,10 @@ if (strlen($ldi_terminated) > 0) { $sql .= ' FIELDS TERMINATED BY '' . $ldi_terminated . '''; } if (strlen($ldi_enclosed) > 0) { - $sql .= ' ENCLOSED BY '' . PMA_sqlAddslashes($ldi_enclosed) . '''; + $sql .= ' ENCLOSED BY '' . PMA_sqlAddSlashes($ldi_enclosed) . '''; } if (strlen($ldi_escaped) > 0) { - $sql .= ' ESCAPED BY '' . PMA_sqlAddslashes($ldi_escaped) . '''; + $sql .= ' ESCAPED BY '' . PMA_sqlAddSlashes($ldi_escaped) . '''; } if (strlen($ldi_new_line) > 0){ if ($ldi_new_line == 'auto') { diff --git a/libraries/relation.lib.php b/libraries/relation.lib.php index 9ac5282..c2acd8e 100644 --- a/libraries/relation.lib.php +++ b/libraries/relation.lib.php @@ -380,10 +380,10 @@ function PMA_getForeigners($db, $table, $column = '', $source = 'both') `foreign_table`, `foreign_field` FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) . ' - WHERE `master_db` = '' . PMA_sqlAddslashes($db) . '' - AND `master_table` = '' . PMA_sqlAddslashes($table) . '' '; + WHERE `master_db` = '' . PMA_sqlAddSlashes($db) . '' + AND `master_table` = '' . PMA_sqlAddSlashes($table) . '' '; if (strlen($column)) { - $rel_query .= ' AND `master_field` = '' . PMA_sqlAddslashes($column) . '''; + $rel_query .= ' AND `master_field` = '' . PMA_sqlAddSlashes($column) . '''; } $foreign = PMA_DBI_fetch_result($rel_query, 'master_field', null, $GLOBALS['controllink']); } @@ -473,8 +473,8 @@ function PMA_getDisplayField($db, $table) $disp_query = ' SELECT `display_field` FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['table_info']) . ' - WHERE `db_name` = '' . PMA_sqlAddslashes($db) . '' - AND `table_name` = '' . PMA_sqlAddslashes($table) . '''; + WHERE `db_name` = '' . PMA_sqlAddSlashes($db) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($table) . ''';

$row = PMA_DBI_fetch_single_row($disp_query, 'ASSOC', $GLOBALS['controllink']); if (isset($row['display_field'])) { @@ -545,7 +545,7 @@ function PMA_getDbComment($db) $com_qry = " SELECT `comment` FROM " . PMA_backquote($cfgRelation['db']) . "." . PMA_backquote($cfgRelation['column_info']) . " - WHERE db_name = '" . PMA_sqlAddslashes($db) . "' + WHERE db_name = '" . PMA_sqlAddSlashes($db) . "' AND table_name = '' AND column_name = '(db_comment)'"; $com_rs = PMA_query_as_controluser($com_qry, true, PMA_DBI_QUERY_STORE); @@ -613,17 +613,17 @@ function PMA_setDbComment($db, $comment = '') " . PMA_backquote($cfgRelation['db']) . "." . PMA_backquote($cfgRelation['column_info']) . " (`db_name`, `table_name`, `column_name`, `comment`) VALUES ( - '" . PMA_sqlAddslashes($db) . "', + '" . PMA_sqlAddSlashes($db) . "', '', '(db_comment)', - '" . PMA_sqlAddslashes($comment) . "') + '" . PMA_sqlAddSlashes($comment) . "') ON DUPLICATE KEY UPDATE - `comment` = '" . PMA_sqlAddslashes($comment) . "'"; + `comment` = '" . PMA_sqlAddSlashes($comment) . "'"; } else { $upd_query = ' DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) . ' - WHERE `db_name` = '' . PMA_sqlAddslashes($db) . '' + WHERE `db_name` = '' . PMA_sqlAddSlashes($db) . '' AND `table_name` = '' AND `column_name` = '(db_comment)''; } @@ -686,11 +686,11 @@ function PMA_setHistory($db, $table, $username, $sqlquery) `timevalue`, `sqlquery`) VALUES - ('' . PMA_sqlAddslashes($username) . '', - '' . PMA_sqlAddslashes($db) . '', - '' . PMA_sqlAddslashes($table) . '', + ('' . PMA_sqlAddSlashes($username) . '', + '' . PMA_sqlAddSlashes($db) . '', + '' . PMA_sqlAddSlashes($table) . '', NOW(), - '' . PMA_sqlAddslashes($sqlquery) . '')'); + '' . PMA_sqlAddSlashes($sqlquery) . '')'); } // end of 'PMA_setHistory()' function

/** @@ -713,7 +713,7 @@ function PMA_getHistory($username) `table`, `sqlquery` FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['history']) . ' - WHERE `username` = '' . PMA_sqlAddslashes($username) . '' + WHERE `username` = '' . PMA_sqlAddSlashes($username) . '' ORDER BY `id` DESC';

return PMA_DBI_fetch_result($hist_query, null, null, $GLOBALS['controllink']); @@ -930,9 +930,9 @@ function PMA_getForeignData($foreigners, $field, $override_total, $foreign_filte . (($foreign_display == false) ? '' : ', ' . PMA_backquote($foreign_display)); $f_query_from = ' FROM ' . PMA_backquote($foreign_db) . '.' . PMA_backquote($foreign_table); $f_query_filter = empty($foreign_filter) ? '' : ' WHERE ' . PMA_backquote($foreign_field) - . ' LIKE "%' . PMA_sqlAddslashes($foreign_filter, true) . '%"' + . ' LIKE "%' . PMA_sqlAddSlashes($foreign_filter, true) . '%"' . (($foreign_display == false) ? '' : ' OR ' . PMA_backquote($foreign_display) - . ' LIKE "%' . PMA_sqlAddslashes($foreign_filter, true) . '%"' + . ' LIKE "%' . PMA_sqlAddSlashes($foreign_filter, true) . '%"' ); $f_query_order = ($foreign_display == false) ? '' :' ORDER BY ' . PMA_backquote($foreign_table) . '.' . PMA_backquote($foreign_display); $f_query_limit = isset($foreign_limit) ? $foreign_limit : ''; @@ -999,8 +999,8 @@ function PMA_getRelatives($from) $rel_query = 'SELECT *' . ' FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['relation']) - . ' WHERE ' . $from . '_db = '' . PMA_sqlAddslashes($GLOBALS['db']) . ''' - . ' AND ' . $to . '_db = '' . PMA_sqlAddslashes($GLOBALS['db']) . ''' + . ' WHERE ' . $from . '_db = '' . PMA_sqlAddSlashes($GLOBALS['db']) . ''' + . ' AND ' . $to . '_db = '' . PMA_sqlAddSlashes($GLOBALS['db']) . ''' . ' AND ' . $from . '_table IN ' . $in_know . ' AND ' . $to . '_table IN ' . $in_left; $relations = @PMA_DBI_query($rel_query, $GLOBALS['controllink']); @@ -1038,26 +1038,26 @@ function PMA_REL_renameField($db, $table, $field, $new_name)

if ($cfgRelation['displaywork']) { $table_query = 'UPDATE ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['table_info']) - . ' SET display_field = '' . PMA_sqlAddslashes($new_name) . ''' - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . ''' - . ' AND display_field = '' . PMA_sqlAddslashes($field) . '''; + . ' SET display_field = '' . PMA_sqlAddSlashes($new_name) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND display_field = '' . PMA_sqlAddSlashes($field) . '''; PMA_query_as_controluser($table_query); }

if ($cfgRelation['relwork']) { $table_query = 'UPDATE ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' SET master_field = '' . PMA_sqlAddslashes($new_name) . ''' - . ' WHERE master_db = '' . PMA_sqlAddslashes($db) . ''' - . ' AND master_table = '' . PMA_sqlAddslashes($table) . ''' - . ' AND master_field = '' . PMA_sqlAddslashes($field) . '''; + . ' SET master_field = '' . PMA_sqlAddSlashes($new_name) . ''' + . ' WHERE master_db = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND master_table = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND master_field = '' . PMA_sqlAddSlashes($field) . '''; PMA_query_as_controluser($table_query);

$table_query = 'UPDATE ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' SET foreign_field = '' . PMA_sqlAddslashes($new_name) . ''' - . ' WHERE foreign_db = '' . PMA_sqlAddslashes($db) . ''' - . ' AND foreign_table = '' . PMA_sqlAddslashes($table) . ''' - . ' AND foreign_field = '' . PMA_sqlAddslashes($field) . '''; + . ' SET foreign_field = '' . PMA_sqlAddSlashes($new_name) . ''' + . ' WHERE foreign_db = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND foreign_table = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND foreign_field = '' . PMA_sqlAddSlashes($field) . '''; PMA_query_as_controluser($table_query); } // end if relwork } @@ -1077,7 +1077,7 @@ function PMA_REL_create_page($newpage, $cfgRelation, $db, $query_default_option) } $ins_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']) . ' (db_name, page_descr)' - . ' VALUES ('' . PMA_sqlAddslashes($db) . '', '' . PMA_sqlAddslashes($newpage) . '')'; + . ' VALUES ('' . PMA_sqlAddSlashes($db) . '', '' . PMA_sqlAddSlashes($newpage) . '')'; PMA_query_as_controluser($ins_query, false, $query_default_option); return PMA_DBI_insert_id(isset($GLOBALS['controllink']) ? $GLOBALS['controllink'] : ''); } diff --git a/libraries/relation_cleanup.lib.php b/libraries/relation_cleanup.lib.php index a03cf1f..3546fbb 100644 --- a/libraries/relation_cleanup.lib.php +++ b/libraries/relation_cleanup.lib.php @@ -22,31 +22,31 @@ function PMA_relationsCleanupColumn($db, $table, $column)

if ($cfgRelation['commwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . ''' - . ' AND column_name = '' . PMA_sqlAddslashes($column) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND column_name = '' . PMA_sqlAddSlashes($column) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['displaywork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['table_info']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . ''' - . ' AND display_field = '' . PMA_sqlAddslashes($column) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND display_field = '' . PMA_sqlAddSlashes($column) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['relwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' WHERE master_db = '' . PMA_sqlAddslashes($db) . ''' - . ' AND master_table = '' . PMA_sqlAddslashes($table) . ''' - . ' AND master_field = '' . PMA_sqlAddslashes($column) . '''; + . ' WHERE master_db = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND master_table = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND master_field = '' . PMA_sqlAddSlashes($column) . '''; PMA_query_as_controluser($remove_query);

$remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' WHERE foreign_db = '' . PMA_sqlAddslashes($db) . ''' - . ' AND foreign_table = '' . PMA_sqlAddslashes($table) . ''' - . ' AND foreign_field = '' . PMA_sqlAddslashes($column) . '''; + . ' WHERE foreign_db = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND foreign_table = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND foreign_field = '' . PMA_sqlAddSlashes($column) . '''; PMA_query_as_controluser($remove_query); } } @@ -63,41 +63,41 @@ function PMA_relationsCleanupTable($db, $table)

if ($cfgRelation['commwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['displaywork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['table_info']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['pdfwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['designerwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['designer_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['relwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' WHERE master_db = '' . PMA_sqlAddslashes($db) . ''' - . ' AND master_table = '' . PMA_sqlAddslashes($table) . '''; + . ' WHERE master_db = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND master_table = '' . PMA_sqlAddSlashes($table) . '''; PMA_query_as_controluser($remove_query);

$remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' WHERE foreign_db = '' . PMA_sqlAddslashes($db) . ''' - . ' AND foreign_table = '' . PMA_sqlAddslashes($table) . '''; + . ' WHERE foreign_db = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND foreign_table = '' . PMA_sqlAddSlashes($table) . '''; PMA_query_as_controluser($remove_query); } } @@ -113,45 +113,45 @@ function PMA_relationsCleanupDatabase($db)

if ($cfgRelation['commwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['bookmarkwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['bookmark']) - . ' WHERE dbase = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE dbase = '' . PMA_sqlAddSlashes($db) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['displaywork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['table_info']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['pdfwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . '''; PMA_query_as_controluser($remove_query);

$remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['designerwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['designer_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . '''; PMA_query_as_controluser($remove_query); }

if ($cfgRelation['relwork']) { $remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' WHERE master_db = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE master_db = '' . PMA_sqlAddSlashes($db) . '''; PMA_query_as_controluser($remove_query);

$remove_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' WHERE foreign_db = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE foreign_db = '' . PMA_sqlAddSlashes($db) . '''; PMA_query_as_controluser($remove_query); } } diff --git a/libraries/schema/Dia_Relation_Schema.class.php b/libraries/schema/Dia_Relation_Schema.class.php index e2f5236..bccf214 100644 --- a/libraries/schema/Dia_Relation_Schema.class.php +++ b/libraries/schema/Dia_Relation_Schema.class.php @@ -240,8 +240,8 @@ class Table_Stats

$sql = 'SELECT x, y FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($tableName) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($tableName) . ''' . ' AND pdf_page_number = ' . $pageNumber; $result = PMA_query_as_controluser($sql, false, PMA_DBI_QUERY_STORE); if (!$result || !PMA_DBI_num_rows($result)) { diff --git a/libraries/schema/Eps_Relation_Schema.class.php b/libraries/schema/Eps_Relation_Schema.class.php index 7dbec6d..50ea7e3 100644 --- a/libraries/schema/Eps_Relation_Schema.class.php +++ b/libraries/schema/Eps_Relation_Schema.class.php @@ -427,8 +427,8 @@ class Table_Stats // x and y $sql = 'SELECT x, y FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($tableName) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($tableName) . ''' . ' AND pdf_page_number = ' . $pageNumber; $result = PMA_query_as_controluser($sql, false, PMA_DBI_QUERY_STORE);

diff --git a/libraries/schema/Export_Relation_Schema.class.php b/libraries/schema/Export_Relation_Schema.class.php index 6c9cca7..bfdb063 100644 --- a/libraries/schema/Export_Relation_Schema.class.php +++ b/libraries/schema/Export_Relation_Schema.class.php @@ -162,7 +162,7 @@ class PMA_Export_Relation_Schema global $cfgRelation; // Get All tables $tab_sql = 'SELECT table_name FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' . ' AND pdf_page_number = ' . $pageNumber;

$tab_rs = PMA_query_as_controluser($tab_sql, null, PMA_DBI_QUERY_STORE); @@ -170,7 +170,7 @@ class PMA_Export_Relation_Schema $this->dieSchema('',__('This page does not contain any tables!')); } while ($curr_table = @PMA_DBI_fetch_assoc($tab_rs)) { - $alltables[] = PMA_sqlAddslashes($curr_table['table_name']); + $alltables[] = PMA_sqlAddSlashes($curr_table['table_name']); } return $alltables; } diff --git a/libraries/schema/Pdf_Relation_Schema.class.php b/libraries/schema/Pdf_Relation_Schema.class.php index d6f212f..abdcf6cschema/Pdf_Relation_Schema.class.php b/libraries/schema/Pdf_Relation_Schema.class.phpuote($cfgRelation['table_coords'])y);true););nsform_function, $default_function, $nowrap, $where_comparison, $transform_options, $is_field_truncated);'label']) . '')';�+6 �
�!�!�Ru���Ru�xd�V�+��Ru�"�nU�+�nU�+�Ru��nU�+O�Ru��_�V�+�nU�+P�V�+�T�V�+�Y�V�+�4pU�+xd�V�+��Ru�`�Ru���nU�+�!�!�Ru���Ru��-kV�+p�Ru�"�nU�+�nU�+�Ru��nU�+O�Ru�@�Ru�8�Ru�ˏU�+�p���Ru��nU�+�4pU�+p�Ru�@�Ru���nU�+GHIJKMNOP�Ru���Ru�H�AV�+�Ru�"�nU�+�nU�+�Ru�0_�V�+�nU�+p�V�+�V�+P�V�+�T�V�+�Y�V�+�4pU�+H�AV�+�Ru�P�Ru���nU�+8�AV�+�Ru���Ru���nU�+(�AV�+�Ru���Ru���nU�+�AV�+�Ru���Ru���nU�+ �^�V�+�nU�+
�Y�V�+`�Ru��hV�+�nU�+
�T�V�+��Ru�yhV�+�nU�+
P�V�+��Ru�ZhV�+�nU�+�V�+p�V�+�V�+P�V�+�t�V�+�T�V�+�Y�V�+�4pU�+�]V�+0�Ru��Ru���nU�+#%')*-.035678:<=�Ru���Ru�p��U�+P�Ru�"�nU�+8�V�+�nU�+�t�V�+�y�V�+�4pU�+cfݵU�+��Ru�p��U�+P�Ru� �Ru���nU�+�%�����wq�-��
���s��,~9��u]�� 4Q��U^Qʉ��u������*ēv

�r�U�+��Ru�F�RW�+F�RW�+?ŸU�+
��Ru���Ru���Ru�ݵU�+�nU�+�ďU�+�Ru�B�RW�+��Ru�O�Ru��\�U�+��Ru���������B�RW�+��Ru���nU
 100644 --- a/libraries/schema/Pdf_Relation_Schema.class.php +++ b/libraries/schema/Pdf_Relation_Schema.class.php @@ -219,7 +219,7 @@ class PMA_PDF extends TCPDF global $cfgRelation, $db, $pdf_page_number, $with_doc; if ($with_doc) { $test_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' . ' AND page_nr = '' . $pdf_page_number . '''; $test_rs = PMA_query_as_controluser($test_query); $pages = @PMA_DBI_fetch_assoc($test_rs); @@ -510,8 +510,8 @@ class Table_Stats } $sql = 'SELECT x, y FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($tableName) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($tableName) . ''' . ' AND pdf_page_number = ' . $pageNumber; $result = PMA_query_as_controluser($sql, false, PMA_DBI_QUERY_STORE); if (!$result || !PMA_DBI_num_rows($result)) { diff --git a/libraries/schema/Svg_Relation_Schema.class.php b/libraries/schema/Svg_Relation_Schema.class.php index 73d67e9..c845efe 100644 --- a/libraries/schema/Svg_Relation_Schema.class.php +++ b/libraries/schema/Svg_Relation_Schema.class.php @@ -397,8 +397,8 @@ class Table_Stats // x and y $sql = 'SELECT x, y FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($tableName) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($tableName) . ''' . ' AND pdf_page_number = ' . $pageNumber; $result = PMA_query_as_controluser($sql, false, PMA_DBI_QUERY_STORE);

diff --git a/libraries/schema/User_Schema.class.php b/libraries/schema/User_Schema.class.php index 98216fe..641acf4 100644 --- a/libraries/schema/User_Schema.class.php +++ b/libraries/schema/User_Schema.class.php @@ -134,7 +134,7 @@ class PMA_User_Schema { global $db,$table,$query_default_option,$cfgRelation; $page_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . '''; $page_rs = PMA_query_as_controluser($page_query, false, $query_default_option); if ($page_rs && PMA_DBI_num_rows($page_rs) > 0) { ?> @@ -207,8 +207,8 @@ class PMA_User_Schema <h2><?php echo __('Select Tables') ;?></h2> <?php $page_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND pdf_page_number = '' . PMA_sqlAddslashes($this->chosenPage) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND pdf_page_number = '' . PMA_sqlAddSlashes($this->chosenPage) . '''; $page_rs = PMA_query_as_controluser($page_query, false, $query_default_option); $array_sh_page = array(); while ($temp_sh_page = @PMA_DBI_fetch_assoc($page_rs)) { @@ -540,9 +540,9 @@ class PMA_User_Schema { foreach ($delrow as $current_row) { $del_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' . "\n" - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' . "\n" - . ' AND table_name = '' . PMA_sqlAddslashes($current_row) . ''' . "\n" - . ' AND pdf_page_number = '' . PMA_sqlAddslashes($chpage) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' . "\n" + . ' AND table_name = '' . PMA_sqlAddSlashes($current_row) . ''' . "\n" + . ' AND pdf_page_number = '' . PMA_sqlAddSlashes($chpage) . '''; echo $del_query; PMA_query_as_controluser($del_query, false, $query_default_option); } @@ -585,8 +585,8 @@ class PMA_User_Schema public function deleteCoordinates($db, $cfgRelation, $choosePage, $query_default_option) { $query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND pdf_page_number = '' . PMA_sqlAddslashes($choosePage) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND pdf_page_number = '' . PMA_sqlAddSlashes($choosePage) . '''; PMA_query_as_controluser($query, false, $query_default_option); }

@@ -602,8 +602,8 @@ class PMA_User_Schema public function deletePages($db, $cfgRelation, $choosePage, $query_default_option) { $query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND page_nr = '' . PMA_sqlAddslashes($choosePage) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND page_nr = '' . PMA_sqlAddSlashes($choosePage) . '''; PMA_query_as_controluser($query, false, $query_default_option); }

@@ -734,7 +734,7 @@ class PMA_User_Schema */ $insert_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' . '(db_name, table_name, pdf_page_number, x, y) ' - . 'VALUES ('' . PMA_sqlAddslashes($db) . '', '' . PMA_sqlAddslashes($current_table) . '',' . $pageNumber . ',' . $pos_x . ',' . $pos_y . ')'; + . 'VALUES ('' . PMA_sqlAddSlashes($db) . '', '' . PMA_sqlAddSlashes($current_table) . '',' . $pageNumber . ',' . $pos_x . ',' . $pos_y . ')'; PMA_query_as_controluser($insert_query, false, $query_default_option);

/* @@ -787,28 +787,28 @@ class PMA_User_Schema } if (isset($arrvalue['name']) && $arrvalue['name'] != '--') { $test_query = 'SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($arrvalue['name']) . ''' - . ' AND pdf_page_number = '' . PMA_sqlAddslashes($this->chosenPage) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($arrvalue['name']) . ''' + . ' AND pdf_page_number = '' . PMA_sqlAddSlashes($this->chosenPage) . '''; $test_rs = PMA_query_as_controluser($test_query, false, $query_default_option); //echo $test_query; if ($test_rs && PMA_DBI_num_rows($test_rs) > 0) { if (isset($arrvalue['delete']) && $arrvalue['delete'] == 'y') { $ch_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($arrvalue['name']) . ''' - . ' AND pdf_page_number = '' . PMA_sqlAddslashes($this->chosenPage) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($arrvalue['name']) . ''' + . ' AND pdf_page_number = '' . PMA_sqlAddSlashes($this->chosenPage) . '''; } else { $ch_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' . 'SET x = ' . $arrvalue['x'] . ', y= ' . $arrvalue['y'] - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($arrvalue['name']) . ''' - . ' AND pdf_page_number = '' . PMA_sqlAddslashes($this->chosenPage) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($arrvalue['name']) . ''' + . ' AND pdf_page_number = '' . PMA_sqlAddSlashes($this->chosenPage) . '''; } } else { $ch_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) . ' ' . '(db_name, table_name, pdf_page_number, x, y) ' - . 'VALUES ('' . PMA_sqlAddslashes($db) . '', '' . PMA_sqlAddslashes($arrvalue['name']) . '', '' . PMA_sqlAddslashes($this->chosenPage) . '',' . $arrvalue['x'] . ',' . $arrvalue['y'] . ')'; + . 'VALUES ('' . PMA_sqlAddSlashes($db) . '', '' . PMA_sqlAddSlashes($arrvalue['name']) . '', '' . PMA_sqlAddSlashes($this->chosenPage) . '',' . $arrvalue['x'] . ',' . $arrvalue['y'] . ')'; } //echo $ch_query; PMA_query_as_controluser($ch_query, false, $query_default_option); diff --git a/libraries/schema/Visio_Relation_Schema.class.php b/libraries/schema/Visio_Relation_Schema.class.php index 663c7e8..011e73e 100644 --- a/libraries/schema/Visio_Relation_Schema.class.php +++ b/libraries/schema/Visio_Relation_Schema.class.php @@ -243,8 +243,8 @@ class Table_Stats // x and y $sql = 'SELECT x, y FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($tableName) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($tableName) . ''' . ' AND pdf_page_number = ' . $pageNumber; $result = PMA_query_as_controluser($sql, false, PMA_DBI_QUERY_STORE);

diff --git a/libraries/server_synchronize.lib.php b/libraries/server_synchronize.lib.php index 1d73f13..8f276be 100644 --- a/libraries/server_synchronize.lib.php +++ b/libraries/server_synchronize.lib.php @@ -560,11 +560,11 @@ function PMA_insertIntoTargetTable($matching_table, $src_db, $trg_db, $src_link, } $insert_query .= ") VALUES("; if (sizeof($table_fields[$matching_table_index]) == 1) { - $insert_query .= "'" . PMA_sqlAddslashes($result[0]) . "'"; + $insert_query .= "'" . PMA_sqlAddSlashes($result[0]) . "'"; } else { for ($field_index = 0; $field_index < sizeof($table_fields[$matching_table_index]); $field_index++) { if (isset($result[0][$table_fields[$matching_table_index][$field_index]])) { - $insert_query .= "'" . PMA_sqlAddslashes($result[0][$table_fields[$matching_table_index][$field_index]]) . "'"; + $insert_query .= "'" . PMA_sqlAddSlashes($result[0][$table_fields[$matching_table_index][$field_index]]) . "'"; } else { $insert_query .= "'NULL'"; } @@ -660,7 +660,7 @@ function PMA_populateTargetTables($src_db, $trg_db, $src_link, $trg_link, $uncom $insert_query .= '('; $key_of_last_value = count($one_row) - 1; foreach($one_row as $key => $value) { - $insert_query .= "'" . PMA_sqlAddslashes($value) . "'"; + $insert_query .= "'" . PMA_sqlAddSlashes($value) . "'"; if ($key < $key_of_last_value) { $insert_query .= ","; } diff --git a/libraries/tbl_replace_fields.inc.php b/libraries/tbl_replace_fields.inc.php index 71bbfbc..32da9c0 100644 --- a/libraries/tbl_replace_fields.inc.php +++ b/libraries/tbl_replace_fields.inc.php @@ -69,7 +69,7 @@ if (false !== $possibly_uploaded_val) { } elseif ($type == 'set') { if (! empty($_REQUEST['fields']['multi_edit'][$rownumber][$key])) { $val = implode(',', $_REQUEST['fields']['multi_edit'][$rownumber][$key]); - $val = "'" . PMA_sqlAddslashes($val) . "'"; + $val = "'" . PMA_sqlAddSlashes($val) . "'"; } } elseif ($type == 'protected') { // here we are in protected mode (asked in the config) @@ -87,9 +87,9 @@ if (false !== $possibly_uploaded_val) { } } elseif ($type == 'bit') { $val = preg_replace('/[^01]/', '0', $val); - $val = "b'" . PMA_sqlAddslashes($val) . "'"; + $val = "b'" . PMA_sqlAddSlashes($val) . "'"; } elseif (! (($type == 'datetime' || $type == 'timestamp') && $val == 'CURRENT_TIMESTAMP')) { - $val = "'" . PMA_sqlAddslashes($val) . "'"; + $val = "'" . PMA_sqlAddSlashes($val) . "'"; }

// Was the Null checkbox checked for this field? diff --git a/libraries/transformations.lib.php b/libraries/transformations.lib.php index 98d0b14..e58ecf8 100644 --- a/libraries/transformations.lib.php +++ b/libraries/transformations.lib.php @@ -137,8 +137,8 @@ function PMA_getMIME($db, $table, $strict = false) `transformation`, `transformation_options` FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) . ' - WHERE `db_name` = '' . PMA_sqlAddslashes($db) . '' - AND `table_name` = '' . PMA_sqlAddslashes($table) . '' + WHERE `db_name` = '' . PMA_sqlAddSlashes($db) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($table) . '' AND ( `mimetype` != ''' . (!$strict ? ' OR `transformation` != '' OR `transformation_options` != ''' : '') . ')'; @@ -171,9 +171,9 @@ function PMA_setMIME($db, $table, $key, $mimetype, $transformation, SELECT `mimetype`, `comment` FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) . ' - WHERE `db_name` = '' . PMA_sqlAddslashes($db) . '' - AND `table_name` = '' . PMA_sqlAddslashes($table) . '' - AND `column_name` = '' . PMA_sqlAddslashes($key) . '''; + WHERE `db_name` = '' . PMA_sqlAddSlashes($db) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($table) . '' + AND `column_name` = '' . PMA_sqlAddSlashes($key) . '''; $test_rs = PMA_query_as_controluser($test_qry, true, PMA_DBI_QUERY_STORE);

if ($test_rs && PMA_DBI_num_rows($test_rs) > 0) { @@ -185,27 +185,27 @@ function PMA_setMIME($db, $table, $key, $mimetype, $transformation, || strlen($transformation_options) || strlen($row['comment']))) { $upd_query = ' UPDATE ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) . ' - SET `mimetype` = '' . PMA_sqlAddslashes($mimetype) . '', - `transformation` = '' . PMA_sqlAddslashes($transformation) . '', - `transformation_options` = '' . PMA_sqlAddslashes($transformation_options) . '''; + SET `mimetype` = '' . PMA_sqlAddSlashes($mimetype) . '', + `transformation` = '' . PMA_sqlAddSlashes($transformation) . '', + `transformation_options` = '' . PMA_sqlAddSlashes($transformation_options) . '''; } else { $upd_query = 'DELETE FROM ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']); } $upd_query .= ' - WHERE `db_name` = '' . PMA_sqlAddslashes($db) . '' - AND `table_name` = '' . PMA_sqlAddslashes($table) . '' - AND `column_name` = '' . PMA_sqlAddslashes($key) . '''; + WHERE `db_name` = '' . PMA_sqlAddSlashes($db) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($table) . '' + AND `column_name` = '' . PMA_sqlAddSlashes($key) . '''; } elseif (strlen($mimetype) || strlen($transformation) || strlen($transformation_options)) { $upd_query = 'INSERT INTO ' . PMA_backquote($cfgRelation['db']) . '.' . PMA_backquote($cfgRelation['column_info']) . ' (db_name, table_name, column_name, mimetype, transformation, transformation_options) ' . ' VALUES(' - . ''' . PMA_sqlAddslashes($db) . '',' - . ''' . PMA_sqlAddslashes($table) . '',' - . ''' . PMA_sqlAddslashes($key) . '',' - . ''' . PMA_sqlAddslashes($mimetype) . '',' - . ''' . PMA_sqlAddslashes($transformation) . '',' - . ''' . PMA_sqlAddslashes($transformation_options) . '')'; + . ''' . PMA_sqlAddSlashes($db) . '',' + . ''' . PMA_sqlAddSlashes($table) . '',' + . ''' . PMA_sqlAddSlashes($key) . '',' + . ''' . PMA_sqlAddSlashes($mimetype) . '',' + . ''' . PMA_sqlAddSlashes($transformation) . '',' + . ''' . PMA_sqlAddSlashes($transformation_options) . '')'; }

if (isset($upd_query)){ diff --git a/libraries/user_preferences.lib.php b/libraries/user_preferences.lib.php index 632e3e2..2246a4d 100644 --- a/libraries/user_preferences.lib.php +++ b/libraries/user_preferences.lib.php @@ -52,7 +52,7 @@ function PMA_load_userprefs() $query = ' SELECT `config_data`, UNIX_TIMESTAMP(`timevalue`) ts FROM ' . $query_table . ' - WHERE `username` = '' . PMA_sqlAddslashes($cfgRelation['user']) . '''; + WHERE `username` = '' . PMA_sqlAddSlashes($cfgRelation['user']) . '''; $row = PMA_DBI_fetch_single_row($query, 'ASSOC', $GLOBALS['controllink']);

return array( @@ -90,20 +90,20 @@ function PMA_save_userprefs(array $config_array) $query = ' SELECT `username` FROM ' . $query_table . ' - WHERE `username` = '' . PMA_sqlAddslashes($cfgRelation['user']) . '''; + WHERE `username` = '' . PMA_sqlAddSlashes($cfgRelation['user']) . ''';

$has_config = PMA_DBI_fetch_value($query, 0, 0, $GLOBALS['controllink']); $config_data = json_encode($config_array); if ($has_config) { $query = ' UPDATE ' . $query_table . ' - SET `config_data` = '' . PMA_sqlAddslashes($config_data) . '' - WHERE `username` = '' . PMA_sqlAddslashes($cfgRelation['user']) . '''; + SET `config_data` = '' . PMA_sqlAddSlashes($config_data) . '' + WHERE `username` = '' . PMA_sqlAddSlashes($cfgRelation['user']) . '''; } else { $query = ' INSERT INTO ' . $query_table . ' (`username`, `config_data`) - VALUES ('' . PMA_sqlAddslashes($cfgRelation['user']) . '', - '' . PMA_sqlAddslashes($config_data) . '')'; + VALUES ('' . PMA_sqlAddSlashes($cfgRelation['user']) . '', + '' . PMA_sqlAddSlashes($config_data) . '')'; } if (isset($_SESSION['cache'][$cache_key]['userprefs'])) { unset($_SESSION['cache'][$cache_key]['userprefs']); diff --git a/pmd_display_field.php b/pmd_display_field.php index 21ef7f2..0e51cd7 100644 --- a/pmd_display_field.php +++ b/pmd_display_field.php @@ -19,21 +19,21 @@ if ($cfgRelation['displaywork']) { if ($disp) { if ($display_field != $disp) { $upd_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_info']) - . ' SET display_field = '' . PMA_sqlAddslashes($display_field) . ''' - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . '''; + . ' SET display_field = '' . PMA_sqlAddSlashes($display_field) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . '''; } else { $upd_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_info']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . '''; } } elseif ($display_field != '') { $upd_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_info']) . '(db_name, table_name, display_field) ' . ' VALUES(' - . ''' . PMA_sqlAddslashes($db) . '',' - . ''' . PMA_sqlAddslashes($table) . '',' - . ''' . PMA_sqlAddslashes($display_field) . '')'; + . ''' . PMA_sqlAddSlashes($db) . '',' + . ''' . PMA_sqlAddSlashes($table) . '',' + . ''' . PMA_sqlAddSlashes($display_field) . '')'; }

if (isset($upd_query)) { diff --git a/pmd_pdf.php b/pmd_pdf.php index 4972ae2..d697dd5 100644 --- a/pmd_pdf.php +++ b/pmd_pdf.php @@ -22,7 +22,7 @@ if (isset($mode)) {

$pmd_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']); $pma_table = PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_coords']); - $scale_q = PMA_sqlAddslashes($scale); + $scale_q = PMA_sqlAddSlashes($scale);

if ('create_export' == $mode) { /* @@ -38,10 +38,10 @@ if (isset($mode)) { } }

- $pdf_page_number_q = PMA_sqlAddslashes($pdf_page_number); + $pdf_page_number_q = PMA_sqlAddSlashes($pdf_page_number);

if ('export' == $mode) { - $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number_q . ", ROUND(x/" . $scale_q . ") , ROUND(y/" . $scale_q . ") y FROM " . $pmd_table . " WHERE db_name = '" . PMA_sqlAddslashes($db) . "'"; + $sql = "REPLACE INTO " . $pma_table . " (db_name, table_name, pdf_page_number, x, y) SELECT db_name, table_name, " . $pdf_page_number_q . ", ROUND(x/" . $scale_q . ") , ROUND(y/" . $scale_q . ") y FROM " . $pmd_table . " WHERE db_name = '" . PMA_sqlAddSlashes($db) . "'";

PMA_query_as_controluser($sql,true,PMA_DBI_QUERY_STORE); } @@ -56,7 +56,7 @@ if (isset($mode)) { AND ' . $pmd_table . '.`table_name` = ' . $pma_table . '.`table_name` AND - ' . $pmd_table . '.`db_name`=''. PMA_sqlAddslashes($db) .'' + ' . $pmd_table . '.`db_name`=''. PMA_sqlAddSlashes($db) .'' AND pdf_page_number = ' . $pdf_page_number_q . ';', true, PMA_DBI_QUERY_STORE); } } @@ -83,7 +83,7 @@ $choices = array();

$table_info_result = PMA_query_as_controluser('SELECT * FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['pdf_pages']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . '''); + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''');

if (PMA_DBI_num_rows($table_info_result) > 0) { echo '<p>' . __('Page') . ':'; diff --git a/pmd_relation_new.php b/pmd_relation_new.php index da92e97..a104cc1 100644 --- a/pmd_relation_new.php +++ b/pmd_relation_new.php @@ -73,12 +73,12 @@ if (PMA_foreignkey_supported($type_T1) && PMA_foreignkey_supported($type_T2) && $q = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['relation']) . '(master_db, master_table, master_field, foreign_db, foreign_table, foreign_field)' . ' values(' - . ''' . PMA_sqlAddslashes($db) . '', ' - . ''' . PMA_sqlAddslashes($T2) . '', ' - . ''' . PMA_sqlAddslashes($F2) . '', ' - . ''' . PMA_sqlAddslashes($db) . '', ' - . ''' . PMA_sqlAddslashes($T1) . '',' - . ''' . PMA_sqlAddslashes($F1) . '')'; + . ''' . PMA_sqlAddSlashes($db) . '', ' + . ''' . PMA_sqlAddSlashes($T2) . '', ' + . ''' . PMA_sqlAddSlashes($F2) . '', ' + . ''' . PMA_sqlAddSlashes($db) . '', ' + . ''' . PMA_sqlAddSlashes($T1) . '',' + . ''' . PMA_sqlAddSlashes($F1) . '')';

if (PMA_query_as_controluser($q , false, PMA_DBI_QUERY_STORE)) { PMD_return_new(1, __('Internal relation added')); diff --git a/pmd_relation_upd.php b/pmd_relation_upd.php index 6b4b92b..58c9135 100644 --- a/pmd_relation_upd.php +++ b/pmd_relation_upd.php @@ -44,12 +44,12 @@ if ($try_to_delete_internal_relation) { PMA_query_as_controluser('DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . $cfg['Server']['relation'].' WHERE ' - . 'master_db = '' . PMA_sqlAddslashes($DB2) . ''' - . ' AND master_table = '' . PMA_sqlAddslashes($T2) . ''' - . ' AND master_field = '' . PMA_sqlAddslashes($F2) . ''' - . ' AND foreign_db = '' . PMA_sqlAddslashes($DB1) . ''' - . ' AND foreign_table = '' . PMA_sqlAddslashes($T1) . ''' - . ' AND foreign_field = '' . PMA_sqlAddslashes($F1) . ''' + . 'master_db = '' . PMA_sqlAddSlashes($DB2) . ''' + . ' AND master_table = '' . PMA_sqlAddSlashes($T2) . ''' + . ' AND master_field = '' . PMA_sqlAddSlashes($F2) . ''' + . ' AND foreign_db = '' . PMA_sqlAddSlashes($DB1) . ''' + . ' AND foreign_table = '' . PMA_sqlAddSlashes($T1) . ''' + . ' AND foreign_field = '' . PMA_sqlAddSlashes($F1) . ''' , false, PMA_DBI_QUERY_STORE); } PMD_return_upd(1, __('Relation deleted')); diff --git a/pmd_save_pos.php b/pmd_save_pos.php index fb9d1eb..6fefe63 100644 --- a/pmd_save_pos.php +++ b/pmd_save_pos.php @@ -20,18 +20,18 @@ foreach ($t_x as $key => $value) { $KEY = empty($IS_AJAX) ? urldecode($key) : $key; // table name decode (post PDF exp/imp) list($DB,$TAB) = explode(".", $KEY); PMA_query_as_controluser('DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']) . ' - WHERE `db_name` = '' . PMA_sqlAddslashes($DB) . '' - AND `table_name` = '' . PMA_sqlAddslashes($TAB) . ''', true, PMA_DBI_QUERY_STORE); + WHERE `db_name` = '' . PMA_sqlAddSlashes($DB) . '' + AND `table_name` = '' . PMA_sqlAddSlashes($TAB) . ''', true, PMA_DBI_QUERY_STORE);

PMA_query_as_controluser('INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($GLOBALS['cfgRelation']['designer_coords']) . ' (db_name, table_name, x, y, v, h) VALUES (' - . ''' . PMA_sqlAddslashes($DB) . '', ' - . ''' . PMA_sqlAddslashes($TAB) . '', ' - . ''' . PMA_sqlAddslashes($t_x[$key]) . '', ' - . ''' . PMA_sqlAddslashes($t_y[$key]) . '', ' - . ''' . PMA_sqlAddslashes($t_v[$key]) . '', ' - . ''' . PMA_sqlAddslashes($t_h[$key]) . ''' + . ''' . PMA_sqlAddSlashes($DB) . '', ' + . ''' . PMA_sqlAddSlashes($TAB) . '', ' + . ''' . PMA_sqlAddSlashes($t_x[$key]) . '', ' + . ''' . PMA_sqlAddSlashes($t_y[$key]) . '', ' + . ''' . PMA_sqlAddSlashes($t_v[$key]) . '', ' + . ''' . PMA_sqlAddSlashes($t_h[$key]) . ''' . ')', true, PMA_DBI_QUERY_STORE); } //---------------------------------------------------------------------------- diff --git a/server_privileges.php b/server_privileges.php index cedbcef..7cd802f 100644 --- a/server_privileges.php +++ b/server_privileges.php @@ -166,8 +166,8 @@ function PMA_RangeOfUsers($initial = '') // strtolower() is used because the User field // might be BINARY, so LIKE would be case sensitive if (!empty($initial)) { - $ret = " WHERE `User` LIKE '" . PMA_sqlAddslashes($initial) . "%'" - . " OR `User` LIKE '" . PMA_sqlAddslashes(strtolower($initial)) . "%'"; + $ret = " WHERE `User` LIKE '" . PMA_sqlAddSlashes($initial, true) . "%'" + . " OR `User` LIKE '" . PMA_sqlAddSlashes(strtolower($initial), true) . "%'"; } else { $ret = ''; } @@ -340,23 +340,23 @@ function PMA_displayPrivTable($db = '*', $table = '*', $submit = true) if ($db == '*') { $sql_query = "SELECT * FROM `mysql`.`user`" - ." WHERE `User` = '" . PMA_sqlAddslashes($username) . "'" - ." AND `Host` = '" . PMA_sqlAddslashes($hostname) . "';"; + ." WHERE `User` = '" . PMA_sqlAddSlashes($username) . "'" + ." AND `Host` = '" . PMA_sqlAddSlashes($hostname) . "';"; } elseif ($table == '*') { $sql_query = "SELECT * FROM `mysql`.`db`" - ." WHERE `User` = '" . PMA_sqlAddslashes($username) . "'" - ." AND `Host` = '" . PMA_sqlAddslashes($hostname) . "'" + ." WHERE `User` = '" . PMA_sqlAddSlashes($username) . "'" + ." AND `Host` = '" . PMA_sqlAddSlashes($hostname) . "'" ." AND '" . PMA_unescape_mysql_wildcards($db) . "'" ." LIKE `Db`;"; } else { $sql_query = "SELECT `Table_priv`" ." FROM `mysql`.`tables_priv`" - ." WHERE `User` = '" . PMA_sqlAddslashes($username) . "'" - ." AND `Host` = '" . PMA_sqlAddslashes($hostname) . "'" + ." WHERE `User` = '" . PMA_sqlAddSlashes($username) . "'" + ." AND `Host` = '" . PMA_sqlAddSlashes($hostname) . "'" ." AND `Db` = '" . PMA_unescape_mysql_wildcards($db) . "'" - ." AND `Table_name` = '" . PMA_sqlAddslashes($table) . "';"; + ." AND `Table_name` = '" . PMA_sqlAddSlashes($table) . "';"; } $row = PMA_DBI_fetch_single_row($sql_query); } @@ -420,13 +420,13 @@ function PMA_displayPrivTable($db = '*', $table = '*', $submit = true) 'SELECT `Column_name`, `Column_priv`' .' FROM `mysql`.`columns_priv`' .' WHERE `User`' - .' = '' . PMA_sqlAddslashes($username) . "'" + .' = '' . PMA_sqlAddSlashes($username) . "'" .' AND `Host`' - .' = '' . PMA_sqlAddslashes($hostname) . "'" + .' = '' . PMA_sqlAddSlashes($hostname) . "'" .' AND `Db`' - .' = '' . PMA_sqlAddslashes(PMA_unescape_mysql_wildcards($db)) . "'" + .' = '' . PMA_sqlAddSlashes(PMA_unescape_mysql_wildcards($db)) . "'" .' AND `Table_name`' - .' = '' . PMA_sqlAddslashes($table) . '';'); + .' = '' . PMA_sqlAddSlashes($table) . '';');

while ($row1 = PMA_DBI_fetch_row($res)) { $row1[1] = explode(',', $row1[1]); @@ -809,9 +809,9 @@ function PMA_displayLoginInformationFields($mode = 'new') if (isset($_REQUEST['change_copy'])) { $user_host_condition = ' WHERE `User`' - .' = '' . PMA_sqlAddslashes($old_username) . "'" + .' = '' . PMA_sqlAddSlashes($old_username) . "'" .' AND `Host`' - .' = '' . PMA_sqlAddslashes($old_hostname) . '';'; + .' = '' . PMA_sqlAddSlashes($old_hostname) . '';'; $row = PMA_DBI_fetch_single_row('SELECT * FROM `mysql`.`user` ' . $user_host_condition); if (! $row) { PMA_Message::notice(__('No user found.'))->display(); @@ -855,8 +855,8 @@ if (isset($_REQUEST['adduser_submit']) || isset($_REQUEST['change_copy'])) { break; } $sql = "SELECT '1' FROM `mysql`.`user`" - . " WHERE `User` = '" . PMA_sqlAddslashes($username) . "'" - . " AND `Host` = '" . PMA_sqlAddslashes($hostname) . "';"; + . " WHERE `User` = '" . PMA_sqlAddSlashes($username) . "'" + . " AND `Host` = '" . PMA_sqlAddSlashes($hostname) . "';"; if (PMA_DBI_fetch_value($sql) == 1) { $message = PMA_Message::error(__('The user %s already exists!')); $message->addParam('[i]'' . $username . ''@'' . $hostname . ''[/i]'); @@ -864,17 +864,17 @@ if (isset($_REQUEST['adduser_submit']) || isset($_REQUEST['change_copy'])) { $_add_user_error = true; } else {

- $create_user_real = 'CREATE USER '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '''; + $create_user_real = 'CREATE USER '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . ''';

$real_sql_query = 'GRANT ' . join(', ', PMA_extractPrivInfo()) . ' ON *.* TO '' - . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '''; + . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '''; if ($pred_password != 'none' && $pred_password != 'keep') { $sql_query = $real_sql_query . ' IDENTIFIED BY '***''; - $real_sql_query .= ' IDENTIFIED BY '' . PMA_sqlAddslashes($pma_pw) . '''; + $real_sql_query .= ' IDENTIFIED BY '' . PMA_sqlAddSlashes($pma_pw) . '''; if (isset($create_user_real)) { $create_user_show = $create_user_real . ' IDENTIFIED BY '***''; - $create_user_real .= ' IDENTIFIED BY '' . PMA_sqlAddslashes($pma_pw) . '''; + $create_user_real .= ' IDENTIFIED BY '' . PMA_sqlAddSlashes($pma_pw) . '''; } } else { if ($pred_password == 'keep' && !empty($password)) { @@ -949,7 +949,7 @@ if (isset($_REQUEST['adduser_submit']) || isset($_REQUEST['change_copy'])) { case '1' : // Create database with same name and grant all privileges $q = 'CREATE DATABASE IF NOT EXISTS ' - . PMA_backquote(PMA_sqlAddslashes($username)) . ';'; + . PMA_backquote(PMA_sqlAddSlashes($username)) . ';'; $sql_query .= $q; if (! PMA_DBI_try_query($q)) { $message = PMA_Message::rawError(PMA_DBI_getError()); @@ -968,8 +968,8 @@ if (isset($_REQUEST['adduser_submit']) || isset($_REQUEST['change_copy'])) { }

$q = 'GRANT ALL PRIVILEGES ON ' - . PMA_backquote(PMA_sqlAddslashes($username)) . '.* TO '' - . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '';'; + . PMA_backquote(PMA_sqlAddSlashes($username)) . '.* TO '' + . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '';'; $sql_query .= $q; if (! PMA_DBI_try_query($q)) { $message = PMA_Message::rawError(PMA_DBI_getError()); @@ -978,8 +978,8 @@ if (isset($_REQUEST['adduser_submit']) || isset($_REQUEST['change_copy'])) { case '2' : // Grant all privileges on wildcard name (username_%) $q = 'GRANT ALL PRIVILEGES ON ' - . PMA_backquote(PMA_sqlAddslashes($username) . '_%') . '.* TO '' - . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '';'; + . PMA_backquote(PMA_sqlAddSlashes($username) . '_%') . '.* TO '' + . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '';'; $sql_query .= $q; if (! PMA_DBI_try_query($q)) { $message = PMA_Message::rawError(PMA_DBI_getError()); @@ -988,8 +988,8 @@ if (isset($_REQUEST['adduser_submit']) || isset($_REQUEST['change_copy'])) { case '3' : // Grant all privileges on the specified database to the new user $q = 'GRANT ALL PRIVILEGES ON ' - . PMA_backquote(PMA_sqlAddslashes($dbname)) . '.* TO '' - . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '';'; + . PMA_backquote(PMA_sqlAddSlashes($dbname)) . '.* TO '' + . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '';'; $sql_query .= $q; if (! PMA_DBI_try_query($q)) { $message = PMA_Message::rawError(PMA_DBI_getError()); @@ -1024,15 +1024,15 @@ if (isset($_REQUEST['adduser_submit']) || isset($_REQUEST['change_copy'])) { if (isset($_REQUEST['change_copy'])) { $user_host_condition = ' WHERE `User`' - .' = '' . PMA_sqlAddslashes($old_username) . "'" + .' = '' . PMA_sqlAddSlashes($old_username) . "'" .' AND `Host`' - .' = '' . PMA_sqlAddslashes($old_hostname) . '';'; + .' = '' . PMA_sqlAddSlashes($old_hostname) . '';'; $res = PMA_DBI_query('SELECT * FROM `mysql`.`db`' . $user_host_condition); while ($row = PMA_DBI_fetch_assoc($res)) { $queries[] = 'GRANT ' . join(', ', PMA_extractPrivInfo($row)) .' ON ' . PMA_backquote($row['Db']) . '.*' - .' TO '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . ''' + .' TO '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . ''' . ($row['Grant_priv'] == 'Y' ? ' WITH GRANT OPTION;' : ';'); } PMA_DBI_free_result($res); @@ -1046,13 +1046,13 @@ if (isset($_REQUEST['change_copy'])) { 'SELECT `Column_name`, `Column_priv`' .' FROM `mysql`.`columns_priv`' .' WHERE `User`' - .' = '' . PMA_sqlAddslashes($old_username) . "'" + .' = '' . PMA_sqlAddSlashes($old_username) . "'" .' AND `Host`' - .' = '' . PMA_sqlAddslashes($old_hostname) . ''' + .' = '' . PMA_sqlAddSlashes($old_hostname) . ''' .' AND `Db`' - .' = '' . PMA_sqlAddslashes($row['Db']) . "'" + .' = '' . PMA_sqlAddSlashes($row['Db']) . "'" .' AND `Table_name`' - .' = '' . PMA_sqlAddslashes($row['Table_name']) . "'" + .' = '' . PMA_sqlAddSlashes($row['Table_name']) . "'" .';', null, PMA_DBI_QUERY_STORE);

@@ -1096,7 +1096,7 @@ if (isset($_REQUEST['change_copy'])) { $queries[] = 'GRANT ' . join(', ', $tmp_privs1) . ' ON ' . PMA_backquote($row['Db']) . '.' . PMA_backquote($row['Table_name']) - . ' TO '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . ''' + . ' TO '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . ''' . (in_array('Grant', explode(',', $row['Table_priv'])) ? ' WITH GRANT OPTION;' : ';'); } } @@ -1110,11 +1110,11 @@ if (!empty($update_privs)) {

$sql_query0 = 'REVOKE ALL PRIVILEGES ON ' . $db_and_table - . ' FROM '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '';'; + . ' FROM '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '';'; if (! isset($Grant_priv) || $Grant_priv != 'Y') { $sql_query1 = 'REVOKE GRANT OPTION ON ' . $db_and_table - . ' FROM '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '';'; + . ' FROM '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '';'; } else { $sql_query1 = ''; } @@ -1125,7 +1125,7 @@ if (!empty($update_privs)) { $sql_query2 = 'GRANT ' . join(', ', PMA_extractPrivInfo()) . ' ON ' . $db_and_table - . ' TO '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '''; + . ' TO '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . ''';

/** * @todo similar code appears twice in this script @@ -1186,10 +1186,10 @@ if (isset($_REQUEST['revokeall'])) {

$sql_query0 = 'REVOKE ALL PRIVILEGES ON ' . $db_and_table - . ' FROM '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '';'; + . ' FROM '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '';'; $sql_query1 = 'REVOKE GRANT OPTION ON ' . $db_and_table - . ' FROM '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '';'; + . ' FROM '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '';';

PMA_DBI_query($sql_query0); if (! PMA_DBI_try_query($sql_query1)) { @@ -1229,8 +1229,8 @@ if (isset($_REQUEST['change_pw'])) { . 'PASSWORD';

// in $sql_query which will be displayed, hide the password - $sql_query = 'SET PASSWORD FOR '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '' = ' . (($pma_pw == '') ? '''' : $hashing_function . '('' . preg_replace('@.@s', '*', $pma_pw) . '')'); - $local_query = 'SET PASSWORD FOR '' . PMA_sqlAddslashes($username) . ''@'' . PMA_sqlAddslashes($hostname) . '' = ' . (($pma_pw == '') ? '''' : $hashing_function . '('' . PMA_sqlAddslashes($pma_pw) . '')'); + $sql_query = 'SET PASSWORD FOR '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '' = ' . (($pma_pw == '') ? '''' : $hashing_function . '('' . preg_replace('@.@s', '*', $pma_pw) . '')'); + $local_query = 'SET PASSWORD FOR '' . PMA_sqlAddSlashes($username) . ''@'' . PMA_sqlAddSlashes($hostname) . '' = ' . (($pma_pw == '') ? '''' : $hashing_function . '('' . PMA_sqlAddSlashes($pma_pw) . '')'); PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, false, $err_url); $message = PMA_Message::success(__('The password for %s was changed successfully.')); @@ -1254,7 +1254,7 @@ if (isset($_REQUEST['delete']) || (isset($_REQUEST['change_copy']) && $_REQUEST[ foreach ($selected_usr as $each_user) { list($this_user, $this_host) = explode('&amp;#27;', $each_user); $queries[] = '# ' . sprintf(__('Deleting %s'), ''' . $this_user . ''@'' . $this_host . ''') . ' ...'; - $queries[] = 'DROP USER '' . PMA_sqlAddslashes($this_user) . ''@'' . PMA_sqlAddslashes($this_host) . '';'; + $queries[] = 'DROP USER '' . PMA_sqlAddSlashes($this_user) . ''@'' . PMA_sqlAddSlashes($this_host) . '';';

if (isset($_REQUEST['drop_users_db'])) { $queries[] = 'DROP DATABASE IF EXISTS ' . PMA_backquote($this_user) . ';'; @@ -1451,7 +1451,7 @@ if (isset($viewing_mode) && $viewing_mode == 'db') { if (isset($_REQUEST['export'])) { echo '<h2>' . __('User') . ' '' . htmlspecialchars($username) . ''@'' . htmlspecialchars($hostname) . ''</h2>'; echo '<textarea cols="' . $GLOBALS['cfg']['TextareaCols'] . '" rows="' . $GLOBALS['cfg']['TextareaRows'] . '">'; - $grants = PMA_DBI_fetch_result("SHOW GRANTS FOR '" . PMA_sqlAddslashes($username) . "'@'" . PMA_sqlAddslashes($hostname) . "'"); + $grants = PMA_DBI_fetch_result("SHOW GRANTS FOR '" . PMA_sqlAddSlashes($username) . "'@'" . PMA_sqlAddSlashes($hostname) . "'"); foreach($grants as $one_grant) { echo $one_grant . ";\n\n"; } @@ -1756,8 +1756,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs

$sql = "SELECT '1' FROM `mysql`.`user`" - . " WHERE `User` = '" . PMA_sqlAddslashes($username) . "'" - . " AND `Host` = '" . PMA_sqlAddslashes($hostname) . "';"; + . " WHERE `User` = '" . PMA_sqlAddSlashes($username) . "'" + . " AND `Host` = '" . PMA_sqlAddSlashes($hostname) . "';"; $user_does_not_exists = (bool) ! PMA_DBI_fetch_value($sql); unset($sql); if ($user_does_not_exists) { @@ -1809,9 +1809,9 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs

$user_host_condition = ' WHERE `User`' - . ' = '' . PMA_sqlAddslashes($username) . "'" + . ' = '' . PMA_sqlAddSlashes($username) . "'" . ' AND `Host`' - . ' = '' . PMA_sqlAddslashes($hostname) . "'"; + . ' = '' . PMA_sqlAddSlashes($hostname) . "'";

// table body // get data @@ -1888,7 +1888,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs

$user_host_condition .= ' AND `Db`' - .' LIKE '' . PMA_sqlAddslashes($dbname) . "'"; + .' LIKE '' . PMA_sqlAddSlashes($dbname, true) . "'";

$tables_to_search_for_users = array( 'columns_priv', @@ -2209,7 +2209,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs $sql_query = '(SELECT ' . $list_of_privileges . ', `Db`' .' FROM `mysql`.`db`' - .' WHERE '' . PMA_sqlAddslashes($checkprivs) . "'" + .' WHERE '' . PMA_sqlAddSlashes($checkprivs) . "'" .' LIKE `Db`' .' AND NOT (' . $list_of_compared_privileges. ')) ' .'UNION ' diff --git a/server_replication.php b/server_replication.php index 511af06..5576914 100644 --- a/server_replication.php +++ b/server_replication.php @@ -40,10 +40,10 @@ if (! $is_superuser) { if (isset($GLOBALS['sr_take_action'])) { $refresh = false; if (isset($GLOBALS['slave_changemaster'])) { - $_SESSION['replication']['m_username'] = $sr['username'] = PMA_sqlAddslashes($GLOBALS['username']); - $_SESSION['replication']['m_password'] = $sr['pma_pw'] = PMA_sqlAddslashes($GLOBALS['pma_pw']); - $_SESSION['replication']['m_hostname'] = $sr['hostname'] = PMA_sqlAddslashes($GLOBALS['hostname']); - $_SESSION['replication']['m_port'] = $sr['port'] = PMA_sqlAddslashes($GLOBALS['port']); + $_SESSION['replication']['m_username'] = $sr['username'] = PMA_sqlAddSlashes($GLOBALS['username']); + $_SESSION['replication']['m_password'] = $sr['pma_pw'] = PMA_sqlAddSlashes($GLOBALS['pma_pw']); + $_SESSION['replication']['m_hostname'] = $sr['hostname'] = PMA_sqlAddSlashes($GLOBALS['hostname']); + $_SESSION['replication']['m_port'] = $sr['port'] = PMA_sqlAddSlashes($GLOBALS['port']); $_SESSION['replication']['m_correct'] = ''; $_SESSION['replication']['sr_action_status'] = 'error'; $_SESSION['replication']['sr_action_info'] = __('Unknown error'); diff --git a/sql.php b/sql.php index 7da775a..10985b6 100644 --- a/sql.php +++ b/sql.php @@ -175,7 +175,7 @@ if(isset($_REQUEST['set_col_order']) && $_REQUEST['set_col_order'] == true) { // (needed for browsing from DefaultTabTable) if (empty($sql_query) && strlen($table) && strlen($db)) { require_once './libraries/bookmark.lib.php'; - $book_sql_query = PMA_Bookmark_get($db, ''' . PMA_sqlAddslashes($table) . ''', + $book_sql_query = PMA_Bookmark_get($db, ''' . PMA_sqlAddSlashes($table) . ''', 'label', false, true);

if (! empty($book_sql_query)) { diff --git a/tbl_alter.php b/tbl_alter.php index 743e925..316c48e 100644 --- a/tbl_alter.php +++ b/tbl_alter.php @@ -170,7 +170,7 @@ if ($abort == false) { * @todo optimize in case of multiple fields to modify */ for ($i = 0; $i < $selected_cnt; $i++) { - $_REQUEST['field'] = PMA_sqlAddslashes($selected[$i], true); + $_REQUEST['field'] = PMA_sqlAddSlashes($selected[$i], true); $result = PMA_DRIZZLE ? PMA_DBI_query('SHOW COLUMNS FROM ' . PMA_backquote($table) . ' FROM ' . PMA_backquote($db) . ' WHERE Field = '' . $_REQUEST['field'] . '';') : PMA_DBI_query('SHOW FULL COLUMNS FROM ' . PMA_backquote($table) . ' FROM ' . PMA_backquote($db) . ' LIKE '' . $_REQUEST['field'] . '';'); diff --git a/tbl_create.php b/tbl_create.php index b141fc1..e3e743b 100644 --- a/tbl_create.php +++ b/tbl_create.php @@ -184,10 +184,10 @@ if (isset($_REQUEST['do_save_data'])) { $sql_query .= PMA_generateCharsetQueryPart($_REQUEST['tbl_collation']); } if (!empty($_REQUEST['comment'])) { - $sql_query .= ' COMMENT = '' . PMA_sqlAddslashes($_REQUEST['comment']) . '''; + $sql_query .= ' COMMENT = '' . PMA_sqlAddSlashes($_REQUEST['comment']) . '''; } if (!empty($_REQUEST['partition_definition'])) { - $sql_query .= ' ' . PMA_sqlAddslashes($_REQUEST['partition_definition']); + $sql_query .= ' ' . PMA_sqlAddSlashes($_REQUEST['partition_definition']); } $sql_query .= ';';

@@ -231,7 +231,7 @@ if (isset($_REQUEST['do_save_data'])) { $is_show_stats = $cfg['ShowStats'];

$tbl_stats_result = PMA_DBI_query('SHOW TABLE STATUS FROM ' - . PMA_backquote($db) . ' LIKE '' . PMA_sqlAddSlashes($table) . '';'); + . PMA_backquote($db) . ' LIKE '' . PMA_sqlAddSlashes($table, true) . '';'); $tbl_stats = PMA_DBI_fetch_assoc($tbl_stats_result); PMA_DBI_free_result($tbl_stats_result); unset($tbl_stats_result); diff --git a/tbl_operations.php b/tbl_operations.php index 8b49259..2205a4f 100644 --- a/tbl_operations.php +++ b/tbl_operations.php @@ -102,7 +102,7 @@ if (isset($_REQUEST['submitoptions'])) { } if (isset($_REQUEST['comment']) && urldecode($_REQUEST['prev_comment']) !== $_REQUEST['comment']) { - $table_alters[] = 'COMMENT = '' . PMA_sqlAddslashes($_REQUEST['comment']) . '''; + $table_alters[] = 'COMMENT = '' . PMA_sqlAddSlashes($_REQUEST['comment']) . '''; } if (! empty($_REQUEST['new_tbl_type']) && strtolower($_REQUEST['new_tbl_type']) !== strtolower($tbl_type)) { @@ -156,13 +156,13 @@ if (isset($_REQUEST['submitoptions'])) { if (($is_myisam_or_aria || $is_innodb || $is_pbxt) && ! empty($_REQUEST['new_auto_increment']) && (! isset($auto_increment) || $_REQUEST['new_auto_increment'] !== $auto_increment)) { - $table_alters[] = 'auto_increment = ' . PMA_sqlAddslashes($_REQUEST['new_auto_increment']); + $table_alters[] = 'auto_increment = ' . PMA_sqlAddSlashes($_REQUEST['new_auto_increment']); }

if (($is_myisam_or_aria || $is_innodb || $is_pbxt) && ! empty($_REQUEST['new_row_format']) && (! isset($row_format) || strtolower($_REQUEST['new_row_format']) !== strtolower($row_format))) { - $table_alters[] = 'ROW_FORMAT = ' . PMA_sqlAddslashes($_REQUEST['new_row_format']); + $table_alters[] = 'ROW_FORMAT = ' . PMA_sqlAddSlashes($_REQUEST['new_row_format']); }

if (count($table_alters) > 0) { diff --git a/tbl_relation.php b/tbl_relation.php index 6d82cc3..e3f4338 100644 --- a/tbl_relation.php +++ b/tbl_relation.php @@ -143,26 +143,26 @@ if (isset($destination) && $cfgRelation['relwork']) { $upd_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['relation']) . '(master_db, master_table, master_field, foreign_db, foreign_table, foreign_field)' . ' values(' - . ''' . PMA_sqlAddslashes($db) . '', ' - . ''' . PMA_sqlAddslashes($table) . '', ' - . ''' . PMA_sqlAddslashes($master_field) . '', ' - . ''' . PMA_sqlAddslashes($foreign_db) . '', ' - . ''' . PMA_sqlAddslashes($foreign_table) . '',' - . ''' . PMA_sqlAddslashes($foreign_field) . '')'; + . ''' . PMA_sqlAddSlashes($db) . '', ' + . ''' . PMA_sqlAddSlashes($table) . '', ' + . ''' . PMA_sqlAddSlashes($master_field) . '', ' + . ''' . PMA_sqlAddSlashes($foreign_db) . '', ' + . ''' . PMA_sqlAddSlashes($foreign_table) . '',' + . ''' . PMA_sqlAddSlashes($foreign_field) . '')'; } elseif ($existrel[$master_field]['foreign_db'] . '.' .$existrel[$master_field]['foreign_table'] . '.' . $existrel[$master_field]['foreign_field'] != $foreign_string) { $upd_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['relation']) . ' SET' - . ' foreign_db = '' . PMA_sqlAddslashes($foreign_db) . '', ' - . ' foreign_table = '' . PMA_sqlAddslashes($foreign_table) . '', ' - . ' foreign_field = '' . PMA_sqlAddslashes($foreign_field) . '' ' - . ' WHERE master_db = '' . PMA_sqlAddslashes($db) . ''' - . ' AND master_table = '' . PMA_sqlAddslashes($table) . ''' - . ' AND master_field = '' . PMA_sqlAddslashes($master_field) . '''; + . ' foreign_db = '' . PMA_sqlAddSlashes($foreign_db) . '', ' + . ' foreign_table = '' . PMA_sqlAddSlashes($foreign_table) . '', ' + . ' foreign_field = '' . PMA_sqlAddSlashes($foreign_field) . '' ' + . ' WHERE master_db = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND master_table = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND master_field = '' . PMA_sqlAddSlashes($master_field) . '''; } // end if... else.... } elseif (isset($existrel[$master_field])) { $upd_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['relation']) - . ' WHERE master_db = '' . PMA_sqlAddslashes($db) . ''' - . ' AND master_table = '' . PMA_sqlAddslashes($table) . ''' - . ' AND master_field = '' . PMA_sqlAddslashes($master_field) . '''; + . ' WHERE master_db = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND master_table = '' . PMA_sqlAddSlashes($table) . ''' + . ' AND master_field = '' . PMA_sqlAddSlashes($master_field) . '''; } // end if... else.... if ($upd_query) { PMA_query_as_controluser($upd_query); @@ -299,21 +299,21 @@ if ($cfgRelation['displaywork'] && isset($display_field)) { if ($disp) { if ($display_field != '') { $upd_query = 'UPDATE ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_info']) - . ' SET display_field = '' . PMA_sqlAddslashes($display_field) . ''' - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . '''; + . ' SET display_field = '' . PMA_sqlAddSlashes($display_field) . ''' + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . '''; } else { $upd_query = 'DELETE FROM ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_info']) - . ' WHERE db_name = '' . PMA_sqlAddslashes($db) . ''' - . ' AND table_name = '' . PMA_sqlAddslashes($table) . '''; + . ' WHERE db_name = '' . PMA_sqlAddSlashes($db) . ''' + . ' AND table_name = '' . PMA_sqlAddSlashes($table) . '''; } } elseif ($display_field != '') { $upd_query = 'INSERT INTO ' . PMA_backquote($GLOBALS['cfgRelation']['db']) . '.' . PMA_backquote($cfgRelation['table_info']) . '(db_name, table_name, display_field) ' . ' VALUES(' - . ''' . PMA_sqlAddslashes($db) . '',' - . ''' . PMA_sqlAddslashes($table) . '',' - . ''' . PMA_sqlAddslashes($display_field) . '')'; + . ''' . PMA_sqlAddSlashes($db) . '',' + . ''' . PMA_sqlAddSlashes($table) . '',' + . ''' . PMA_sqlAddSlashes($display_field) . '')'; }

if ($upd_query) { diff --git a/tbl_replace.php b/tbl_replace.php index 2876b50..b0c71e6 100644 --- a/tbl_replace.php +++ b/tbl_replace.php @@ -218,7 +218,7 @@ foreach ($loop_array as $rownumber => $where_clause) {

// if the most recent BLOB reference exists, set it as a field value if (!is_null($bs_reference)) { - $val = "'" . PMA_sqlAddslashes($bs_reference) . "'"; + $val = "'" . PMA_sqlAddSlashes($bs_reference) . "'"; } } } @@ -256,7 +256,7 @@ foreach ($loop_array as $rownumber => $where_clause) { $query_values[] = PMA_backquote($me_fields_name[$key]) . ' = ' . $cur_value; } elseif (empty($me_funcs[$key]) && isset($me_fields_prev[$key]) - && ("'" . PMA_sqlAddslashes($me_fields_prev[$key]) . "'" == $val)) { + && ("'" . PMA_sqlAddSlashes($me_fields_prev[$key]) . "'" == $val)) { // No change for this column and no MySQL function is used -> next column continue; } elseif (! empty($val)) { diff --git a/tbl_select.php b/tbl_select.php index 875182d..33b7e48 100644 --- a/tbl_select.php +++ b/tbl_select.php @@ -355,9 +355,9 @@ else { $parens_open = ''; $parens_close = ''; } - $enum_where = ''' . PMA_sqlAddslashes($fields[$i][0]) . '''; + $enum_where = ''' . PMA_sqlAddSlashes($fields[$i][0]) . '''; for ($e = 1; $e < $enum_selected_count; $e++) { - $enum_where .= ', '' . PMA_sqlAddslashes($fields[$i][$e]) . '''; + $enum_where .= ', '' . PMA_sqlAddSlashes($fields[$i][$e]) . '''; }

$w[] = PMA_backquote($names[$i]) . ' ' . $func_type . ' ' . $parens_open . $enum_where . $parens_close; @@ -389,7 +389,7 @@ else { // quote values one by one $values = explode(',', $fields[$i]); foreach ($values as &$value) - $value = $quot . PMA_sqlAddslashes(trim($value)) . $quot; + $value = $quot . PMA_sqlAddSlashes(trim($value)) . $quot;

if ($func_type == 'BETWEEN' || $func_type == 'NOT BETWEEN') $w[] = PMA_backquote($names[$i]) . ' ' . $func_type . ' ' . (isset($values[0]) ? $values[0] : '') . ' AND ' . (isset($values[1]) ? $values[1] : ''); @@ -397,7 +397,7 @@ else { $w[] = PMA_backquote($names[$i]) . ' ' . $func_type . ' (' . implode(',', $values) . ')'; } else { - $w[] = PMA_backquote($names[$i]) . ' ' . $func_type . ' ' . $quot . PMA_sqlAddslashes($fields[$i]) . $quot;; + $w[] = PMA_backquote($names[$i]) . ' ' . $func_type . ' ' . $quot . PMA_sqlAddSlashes($fields[$i]) . $quot;; }

} // end if diff --git a/tbl_tracking.php b/tbl_tracking.php index a708f0a..b612885 100644 --- a/tbl_tracking.php +++ b/tbl_tracking.php @@ -584,7 +584,7 @@ if (isset($_REQUEST['report']) || isset($_REQUEST['report_export'])) { $sql_query = " SELECT DISTINCT db_name, table_name FROM " . PMA_backquote($GLOBALS['cfg']['Server']['pmadb']) . "." . PMA_backquote($GLOBALS['cfg']['Server']['tracking']) . - " WHERE " . PMA_backquote('db_name') . " = '" . PMA_sqlAddslashes($GLOBALS['db']) . "' " . + " WHERE " . PMA_backquote('db_name') . " = '" . PMA_sqlAddSlashes($GLOBALS['db']) . "' " . " ORDER BY ". PMA_backquote('db_name') . ", " . PMA_backquote('table_name');

$sql_result = PMA_query_as_controluser($sql_query); @@ -624,8 +624,8 @@ if (PMA_DBI_num_rows($sql_result) > 0) { $sql_query = " SELECT * FROM " . PMA_backquote($GLOBALS['cfg']['Server']['pmadb']) . "." . PMA_backquote($GLOBALS['cfg']['Server']['tracking']) . - " WHERE " . PMA_backquote('db_name') . " = '" . PMA_sqlAddslashes($_REQUEST['db']) . "' ". - " AND " . PMA_backquote('table_name') . " = '" . PMA_sqlAddslashes($_REQUEST['table']) ."' ". + " WHERE " . PMA_backquote('db_name') . " = '" . PMA_sqlAddSlashes($_REQUEST['db']) . "' ". + " AND " . PMA_backquote('table_name') . " = '" . PMA_sqlAddSlashes($_REQUEST['table']) ."' ". " ORDER BY ". PMA_backquote('version') . " DESC ";

$sql_result = PMA_query_as_controluser($sql_query); diff --git a/test/PMA_quoting_slashing_test.php b/test/PMA_quoting_slashing_test.php index f801025..c918390 100644 --- a/test/PMA_quoting_slashing_test.php +++ b/test/PMA_quoting_slashing_test.php @@ -31,14 +31,14 @@ class PMA_quoting_slashing_test extends PHPUnit_Framework_TestCase public function testAddSlashes() { $string = "'test'''''\r\t\n";

- $this->assertEquals("\\\\'test''\\\\''\\\\'\r\t\n", PMA_sqlAddslashes($string, true, true, true)); - $this->assertEquals("\\\\''test''''\\\\''''\\\\''\r\t\n", PMA_sqlAddslashes($string, true, true, false)); - $this->assertEquals("\\\\'test''\\\\''\\\\'\r\t\n", PMA_sqlAddslashes($string, true, false, true)); - $this->assertEquals("\\\\''test''''\\\\''''\\\\''\r\t\n", PMA_sqlAddslashes($string, true, false, false)); - $this->assertEquals("\\'test''\\''\\'\r\t\n", PMA_sqlAddslashes($string, false, true, true)); - $this->assertEquals("\\''test''''\\''''\\''\r\t\n", PMA_sqlAddslashes($string, false, true, false)); - $this->assertEquals("\\'test''\\''\\'\r\t\n", PMA_sqlAddslashes($string, false, false, true)); - $this->assertEquals("\\''test''''\\''''\\''\r\t\n", PMA_sqlAddslashes($string, false, false, false)); + $this->assertEquals("\\\\'test''\\\\''\\\\'\r\t\n", PMA_sqlAddSlashes($string, true, true, true)); + $this->assertEquals("\\\\''test''''\\\\''''\\\\''\r\t\n", PMA_sqlAddSlashes($string, true, true, false)); + $this->assertEquals("\\\\'test''\\\\''\\\\'\r\t\n", PMA_sqlAddSlashes($string, true, false, true)); + $this->assertEquals("\\\\''test''''\\\\''''\\\\''\r\t\n", PMA_sqlAddSlashes($string, true, false, false)); + $this->assertEquals("\\'test''\\''\\'\r\t\n", PMA_sqlAddSlashes($string, false, true, true)); + $this->assertEquals("\\''test''''\\''''\\''\r\t\n", PMA_sqlAddSlashes($string, false, true, false)); + $this->assertEquals("\\'test''\\''\\'\r\t\n", PMA_sqlAddSlashes($string, false, false, true)); + $this->assertEquals("\\''test''''\\''''\\''\r\t\n", PMA_sqlAddSlashes($string, false, false, false)); }

/** diff --git a/user_password.php b/user_password.php index a8ff8da..a4eeffe 100644 --- a/user_password.php +++ b/user_password.php @@ -76,7 +76,7 @@ if (isset($_REQUEST['nopass'])) { }

$sql_query = 'SET password = ' . (($password == '') ? '''' : $hashing_function . '('***')'); - $local_query = 'SET password = ' . (($password == '') ? '''' : $hashing_function . '('' . PMA_sqlAddslashes($password) . '')'); + $local_query = 'SET password = ' . (($password == '') ? '''' : $hashing_function . '('' . PMA_sqlAddSlashes($password) . '')'); $result = @PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query, false, $err_url);

hooks/post-receive