Fixed warnings of editor login, tables list and data list pages

This commit is contained in:
Lionel Laffineur 2023-12-06 23:00:08 +01:00
parent 70b1080775
commit 8c361c74e9
6 changed files with 99 additions and 86 deletions

View file

@ -11,14 +11,14 @@ foreach ($fields as $name => $field) {
if ($_POST && !$error && !isset($_GET["select"])) {
$location = $_POST["referer"];
if ($_POST["insert"]) { // continue edit or insert
if (isset($_POST["insert"]) && $_POST["insert"]) { // continue edit or insert
$location = ($update ? null : $_SERVER["REQUEST_URI"]);
} elseif (!preg_match('~^.+&select=.+$~', $location)) {
$location = ME . "select=" . urlencode($TABLE);
}
$indexes = indexes($TABLE);
$unique_array = unique_array($_GET["where"], $indexes);
$unique_array = unique_array((isset($_GET["where"]) ? $_GET["where"] : []), $indexes);
$query_where = "\nWHERE $where";
if (isset($_POST["delete"])) {
@ -60,14 +60,14 @@ if ($_POST && !$error && !isset($_GET["select"])) {
}
$row = null;
if ($_POST["save"]) {
if (isset($_POST["save"]) &&$_POST["save"]) {
$row = (array) $_POST["fields"];
} elseif ($where) {
$select = array();
foreach ($fields as $name => $field) {
if (isset($field["privileges"]["select"])) {
$as = convert_field($field);
if ($_POST["clone"] && $field["auto_increment"]) {
if (isset($_POST["clone"]) && $_POST["clone"] && isset($field["auto_increment"]) && $field["auto_increment"]) {
$as = "''";
}
if ($jush == "sql" && preg_match("~enum|set~", $field["type"])) {

View file

@ -1,14 +1,14 @@
<?php
$connection = '';
$has_token = $_SESSION["token"];
$has_token = isset($_SESSION["token"]) && $_SESSION["token"];
if (!$has_token) {
$_SESSION["token"] = rand(1, 1e6); // defense against cross-site request forgery
}
$token = get_token(); ///< @var string CSRF protection
$permanent = array();
if ($_COOKIE["adminer_permanent"]) {
if (isset($_COOKIE["adminer_permanent"]) && $_COOKIE["adminer_permanent"]) {
foreach (explode(" ", $_COOKIE["adminer_permanent"]) as $val) {
list($key) = explode(":", $val);
$permanent[$key] = $val;
@ -59,11 +59,11 @@ function check_invalid_login() {
$auth = (isset($_POST["auth"]) ? $_POST["auth"] : null);
if ($auth) {
session_regenerate_id(); // defense against session fixation
$vendor = $auth["driver"];
$server = $auth["server"];
$username = $auth["username"];
$password = (string) $auth["password"];
$db = $auth["db"];
$vendor = isset($auth["driver"]) ? $auth["driver"] : null;
$server = isset($auth["server"]) ? $auth["server"] : null;
$username = isset($auth["username"]) ? $auth["username"] : null;
$password = isset($auth["password"]) ? (string) $auth["password"] : null;
$db = isset($auth["db"]) ? $auth["db"] : null;
set_password($vendor, $server, $username, $password);
$_SESSION["db"][$vendor][$server][$username][$db] = true;
if ($auth["permanent"]) {

View file

@ -490,21 +490,25 @@ function escape_key($key) {
function where($where, $fields = array()) {
global $connection, $jush;
$return = array();
foreach ((array) $where["where"] as $key => $val) {
$key = bracket_escape($key, 1); // 1 - back
$column = escape_key($key);
$return[] = $column
. ($jush == "sql" && is_numeric($val) && preg_match('~\.~', $val) ? " LIKE " . q($val) // LIKE because of floats but slow with ints
: ($jush == "mssql" ? " LIKE " . q(preg_replace('~[_%[]~', '[\0]', $val)) // LIKE because of text
: " = " . unconvert_field($fields[$key], q($val))
))
; //! enum and set
if ($jush == "sql" && preg_match('~char|text~', $fields[$key]["type"] ?? null) && preg_match("~[^ -@]~", $val)) { // not just [a-z] to catch non-ASCII characters
$return[] = "$column = " . q($val) . " COLLATE " . charset($connection) . "_bin";
if (isset($where["where"])) {
foreach ((array) $where["where"] as $key => $val) {
$key = bracket_escape($key, 1); // 1 - back
$column = escape_key($key);
$return[] = $column
. ($jush == "sql" && is_numeric($val) && preg_match('~\.~', $val) ? " LIKE " . q($val) // LIKE because of floats but slow with ints
: ($jush == "mssql" ? " LIKE " . q(preg_replace('~[_%[]~', '[\0]', $val)) // LIKE because of text
: " = " . unconvert_field($fields[$key], q($val))
))
; //! enum and set
if ($jush == "sql" && preg_match('~char|text~', $fields[$key]["type"] ?? null) && preg_match("~[^ -@]~", $val)) { // not just [a-z] to catch non-ASCII characters
$return[] = "$column = " . q($val) . " COLLATE " . charset($connection) . "_bin";
}
}
}
foreach ((array) $where["null"] as $key) {
$return[] = escape_key($key) . " IS NULL";
if (isset($where["null"])) {
foreach ((array) $where["null"] as $key) {
$return[] = escape_key($key) . " IS NULL";
}
}
return implode(" AND ", $return);
}
@ -1003,7 +1007,7 @@ function input($field, $value, $function) {
echo "<textarea$attrs cols='50' rows='12' class='jush-js'>" . h($value) . '</textarea>';
} else {
// int(3) is only a display hint
$maxlength = (!preg_match('~int~', $field["type"]) && preg_match('~^(\d+)(,(\d+))?$~', $field["length"], $match) ? ((preg_match("~binary~", $field["type"]) ? 2 : 1) * $match[1] + ($match[3] ? 1 : 0) + ($match[2] && !$field["unsigned"] ? 1 : 0)) : ($types[$field["type"]] ? $types[$field["type"]] + ($field["unsigned"] ? 0 : 1) : 0));
$maxlength = (!preg_match('~int~', $field["type"]) && preg_match('~^(\d+)(,(\d+))?$~', $field["length"], $match) ? ((preg_match("~binary~", $field["type"]) ? 2 : 1) * $match[1] + (isset($match[3]) && $match[3] ? 1 : 0) + (isset($match[2]) && $match[2] && !$field["unsigned"] ? 1 : 0)) : ($types[$field["type"]] ? $types[$field["type"]] + ($field["unsigned"] ? 0 : 1) : 0));
if ($jush == 'sql' && min_version(5.6) && preg_match('~time~', $field["type"])) {
$maxlength += 7; // microtime
}
@ -1511,20 +1515,23 @@ function edit_form($table, $fields, $row, $update) {
: (isset($_GET["select"]) ? false : $default)
)
);
if (!$_POST["save"] && is_string($value)) {
if ((isset($_POST["save"]) === false || !$_POST["save"]) && is_string($value)) {
$value = $adminer->editVal($value, $field);
}
$fname = null;
if (isset($_POST["function"][$name])) {
$fname = (string)$_POST["function"][$name];
}
$function = ($_POST["save"]
? $fname
: ($update && preg_match('~^CURRENT_TIMESTAMP~i', $field["on_update"])
? "now"
: ($value === false ? null : ($value !== null ? '' : 'NULL'))
)
);
$function = null;
if (isset($_POST["save"])) {
$function = ($_POST["save"]
? $fname
: ($update && preg_match('~^CURRENT_TIMESTAMP~i', $field["on_update"])
? "now"
: ($value === false ? null : ($value !== null ? '' : 'NULL'))
)
);
}
if (!$_POST && !$update && $value == $field["default"] && preg_match('~^[\w.]+\(~', $value)) {
$function = "SQL";
}

View file

@ -3,8 +3,8 @@ page_header(lang('Server'), "", false);
if ($adminer->homepage()) {
echo "<form action='' method='post'>\n";
echo "<p>" . lang('Search data in tables') . ": <input type='search' name='query' value='" . h($_POST["query"]) . "'> <input type='submit' value='" . lang('Search') . "'>\n";
if ($_POST["query"] != "") {
echo "<p>" . lang('Search data in tables') . ": <input type='search' name='query' value='" . h(isset($_POST["query"]) ? $_POST["query"] : null) . "'> <input type='submit' value='" . lang('Search') . "'>\n";
if (isset($_POST["query"]) && $_POST["query"] != "") {
search_tables();
}
echo "<div class='scrollable'>\n";
@ -19,7 +19,7 @@ if ($adminer->homepage()) {
foreach (table_status() as $table => $row) {
$name = $adminer->tableName($row);
if (isset($row["Engine"]) && $name != "") {
echo '<tr' . odd() . '><td>' . checkbox("tables[]", $table, in_array($table, (array) $_POST["tables"], true));
echo '<tr' . odd() . '><td>' . checkbox("tables[]", $table, in_array($table, (array) (isset($_POST["tables"]) ? $_POST["tables"] : []), true));
echo "<th><a href='" . h(ME) . 'select=' . urlencode($table) . "'>$name</a>";
$val = format_number($row["Rows"]);
echo "<td align='right'><a href='" . h(ME . "edit=") . urlencode($table) . "'>" . ($row["Engine"] == "InnoDB" && $val ? "~ $val" : $val) . "</a>";

View file

@ -72,11 +72,11 @@ class Adminer {
function loginForm() {
echo "<table cellspacing='0' class='layout'>\n";
echo $this->loginFormField('username', '<tr><th>' . lang('Username') . '<td>', '<input type="hidden" name="auth[driver]" value="server"><input name="auth[username]" id="username" value="' . h($_GET["username"]) . '" autocomplete="username" autocapitalize="off">' . script("focus(qs('#username'));"));
echo $this->loginFormField('username', '<tr><th>' . lang('Username') . '<td>', '<input type="hidden" name="auth[driver]" value="server"><input name="auth[username]" id="username" value="' . h((isset($_GET["username"]) ? $_GET["username"] : null)) . '" autocomplete="username" autocapitalize="off">' . script("focus(qs('#username'));"));
echo $this->loginFormField('password', '<tr><th>' . lang('Password') . '<td>', '<input type="password" name="auth[password]" autocomplete="current-password">' . "\n");
echo "</table>\n";
echo "<p><input type='submit' value='" . lang('Login') . "'>\n";
echo checkbox("auth[permanent]", 1, $_COOKIE["adminer_permanent"], lang('Permanent login')) . "\n";
echo checkbox("auth[permanent]", 1, (isset($_COOKIE["adminer_permanent"]) ? $_COOKIE["adminer_permanent"] : null), lang('Permanent login')) . "\n";
}
function loginFormField($name, $heading, $value) {
@ -224,7 +224,7 @@ ORDER BY ORDINAL_POSITION", null, "") as $row) { //! requires MySQL 5
}
function selectSearchPrint($where, $columns, $indexes) {
$where = (array) $_GET["where"];
$where = isset($_GET["where"]) ? (array) $_GET["where"] : [];
echo '<fieldset id="fieldset-search"><legend>' . lang('Search') . "</legend><div>\n";
$keys = array();
foreach ($where as $key => $val) {
@ -293,7 +293,7 @@ ORDER BY ORDINAL_POSITION", null, "") as $row) { //! requires MySQL 5
echo "<select name='index_order'>" . optionlist(array("" => "") + $orders, ($_GET["order"][0] != "" ? "" : $_GET["index_order"]), true) . "</select>";
echo "</div></fieldset>\n";
}
if ($_GET["order"]) {
if (isset($_GET["order"]) && $_GET["order"]) {
echo "<div style='display: none;'>" . hidden_fields(array(
"order" => array(1 => reset($_GET["order"])),
"desc" => ($_GET["desc"] ? array(1 => 1) : array()),
@ -326,13 +326,13 @@ ORDER BY ORDINAL_POSITION", null, "") as $row) { //! requires MySQL 5
function selectEmailPrint($emailFields, $columns) {
if ($emailFields) {
print_fieldset("email", lang('E-mail'), $_POST["email_append"]);
print_fieldset("email", lang('E-mail'), isset($_POST["email_append"]) ? $_POST["email_append"] : null);
echo "<div>";
echo script("qsl('div').onkeydown = partialArg(bodyKeydown, 'email');");
echo "<p>" . lang('From') . ": <input name='email_from' value='" . h($_POST ? $_POST["email_from"] : $_COOKIE["adminer_email"]) . "'>\n";
echo lang('Subject') . ": <input name='email_subject' value='" . h($_POST["email_subject"]) . "'>\n";
echo "<p><textarea name='email_message' rows='15' cols='75'>" . h($_POST["email_message"] . ($_POST["email_append"] ? '{$' . "$_POST[email_addition]}" : "")) . "</textarea>\n";
echo "<p>" . script("qsl('p').onkeydown = partialArg(bodyKeydown, 'email_append');", "") . html_select("email_addition", $columns, $_POST["email_addition"]) . "<input type='submit' name='email_append' value='" . lang('Insert') . "'>\n"; //! JavaScript
echo "<p>" . lang('From') . ": <input name='email_from' value='" . h(isset($_POST["email_from"]) ? $_POST["email_from"] : (isset($_COOKIE["adminer_email"]) ? $_COOKIE["adminer_email"] : null)) . "'>\n";
echo lang('Subject') . ": <input name='email_subject' value='" . h(isset($_POST["email_subject"]) ? $_POST["email_subject"] : null) . "'>\n";
echo "<p><textarea name='email_message' rows='15' cols='75'>" . h(isset($_POST["email_message"]) ? $_POST["email_message"] : null . (isset($_POST["email_append"]) && $_POST["email_append"] ? '{$' . "$_POST[email_addition]}" : "")) . "</textarea>\n";
echo "<p>" . script("qsl('p').onkeydown = partialArg(bodyKeydown, 'email_append');", "") . html_select("email_addition", $columns, isset($_POST["email_addition"]) ? $_POST["email_addition"] : null) . "<input type='submit' name='email_append' value='" . lang('Insert') . "'>\n"; //! JavaScript
echo "<p>" . lang('Attachments') . ": <input type='file' name='email_files[]'>" . script("qsl('input').onchange = emailFileChange;");
echo "<p>" . (count($emailFields) == 1 ? '<input type="hidden" name="email_field" value="' . h(key($emailFields)) . '">' : html_select("email_field", $emailFields));
echo "<input type='submit' name='email' value='" . lang('Send') . "'>" . confirm();
@ -348,43 +348,45 @@ ORDER BY ORDINAL_POSITION", null, "") as $row) { //! requires MySQL 5
function selectSearchProcess($fields, $indexes) {
global $driver;
$return = array();
foreach ((array) $_GET["where"] as $key => $where) {
$col = $where["col"];
$op = $where["op"];
$val = $where["val"];
if (($key < 0 ? "" : $col) . $val != "") {
$conds = array();
foreach (($col != "" ? array($col => $fields[$col]) : $fields) as $name => $field) {
if ($col != "" || is_numeric($val) || !preg_match(number_type(), $field["type"])) {
$name = idf_escape($name);
if ($col != "" && $field["type"] == "enum") {
$conds[] = (in_array(0, $val) ? "$name IS NULL OR " : "") . "$name IN (" . implode(", ", array_map('intval', $val)) . ")";
} else {
$text_type = preg_match('~char|text|enum|set~', $field["type"]);
$value = $this->processInput($field, (!$op && $text_type && preg_match('~^[^%]+$~', $val) ? "%$val%" : $val));
$conds[] = $driver->convertSearch($name, $val, $field) . ($value == "NULL" ? " IS" . ($op == ">=" ? " NOT" : "") . " $value"
: (in_array($op, $this->operators) || $op == "=" ? " $op $value"
: ($text_type ? " LIKE $value"
: " IN (" . str_replace(",", "', '", $value) . ")"
)));
if ($key < 0 && $val == "0") {
$conds[] = "$name IS NULL";
if (isset($_GET["where"])) {
foreach ((array) $_GET["where"] as $key => $where) {
$col = $where["col"];
$op = $where["op"];
$val = $where["val"];
if (($key < 0 ? "" : $col) . $val != "") {
$conds = array();
foreach (($col != "" ? array($col => $fields[$col]) : $fields) as $name => $field) {
if ($col != "" || is_numeric($val) || !preg_match(number_type(), $field["type"])) {
$name = idf_escape($name);
if ($col != "" && $field["type"] == "enum") {
$conds[] = (in_array(0, $val) ? "$name IS NULL OR " : "") . "$name IN (" . implode(", ", array_map('intval', $val)) . ")";
} else {
$text_type = preg_match('~char|text|enum|set~', $field["type"]);
$value = $this->processInput($field, (!$op && $text_type && preg_match('~^[^%]+$~', $val) ? "%$val%" : $val));
$conds[] = $driver->convertSearch($name, $val, $field) . ($value == "NULL" ? " IS" . ($op == ">=" ? " NOT" : "") . " $value"
: (in_array($op, $this->operators) || $op == "=" ? " $op $value"
: ($text_type ? " LIKE $value"
: " IN (" . str_replace(",", "', '", $value) . ")"
)));
if ($key < 0 && $val == "0") {
$conds[] = "$name IS NULL";
}
}
}
}
$return[] = ($conds ? "(" . implode(" OR ", $conds) . ")" : "1 = 0");
}
$return[] = ($conds ? "(" . implode(" OR ", $conds) . ")" : "1 = 0");
}
}
return $return;
}
function selectOrderProcess($fields, $indexes) {
$index_order = $_GET["index_order"];
$index_order = isset($_GET["index_order"]) ? $_GET["index_order"] : null;
if ($index_order != "") {
unset($_GET["order"][1]);
}
if ($_GET["order"]) {
if (isset($_GET["order"]) && $_GET["order"]) {
return array(idf_escape(reset($_GET["order"])) . ($_GET["desc"] ? " DESC" : ""));
}
foreach (($index_order != "" ? array($indexes[$index_order]) : $indexes) as $index) {
@ -591,15 +593,17 @@ qsl('div').onclick = whisperClick;", "")
<?php
if ($missing == "auth") {
$first = true;
foreach ((array) $_SESSION["pwds"] as $vendor => $servers) {
foreach ($servers[""] as $username => $password) {
if ($password !== null) {
if ($first) {
echo "<ul id='logins'>";
echo script("mixin(qs('#logins'), {onmouseover: menuOver, onmouseout: menuOut});");
$first = false;
if (isset($_SESSION["pwds"])) {
foreach ((array) $_SESSION["pwds"] as $vendor => $servers) {
foreach ($servers[""] as $username => $password) {
if ($password !== null) {
if ($first) {
echo "<ul id='logins'>";
echo script("mixin(qs('#logins'), {onmouseover: menuOver, onmouseout: menuOut});");
$first = false;
}
echo "<li><a href='" . h(auth_url($vendor, "", $username)) . "'>" . ($username != "" ? h($username) : "<i>" . lang('empty') . "</i>") . "</a>\n";
}
echo "<li><a href='" . h(auth_url($vendor, "", $username)) . "'>" . ($username != "" ? h($username) : "<i>" . lang('empty') . "</i>") . "</a>\n";
}
}
}
@ -627,10 +631,10 @@ qsl('div').onclick = whisperClick;", "")
$name = $this->tableName($row);
if (isset($row["Engine"]) && $name != "") { // ignore views and tables without name
echo "<a href='" . h(ME) . 'select=' . urlencode($row["Name"]) . "'"
. bold($_GET["select"] == $row["Name"] || $_GET["edit"] == $row["Name"], "select")
. bold((isset($_GET["select"]) && $_GET["select"] == $row["Name"]) || (isset($_GET["edit"]) && $_GET["edit"] == $row["Name"]), "select")
. " title='" . lang('Select data') . "'>$name</a>\n";
echo "<a href='" . h(ME) . 'select=' . urlencode($row["Name"]) . "'"
. bold($_GET["select"] == $row["Name"] || $_GET["edit"] == $row["Name"], "")
. bold((isset($_GET["select"]) && $_GET["select"] == $row["Name"]) || (isset($_GET["edit"]) && $_GET["edit"] == $row["Name"]), "")
. " title='" . lang('Select data') . "'>$name</a>\n";
}
}
@ -638,12 +642,14 @@ qsl('div').onclick = whisperClick;", "")
}
function _foreignColumn($foreignKeys, $column) {
foreach ((array) $foreignKeys[$column] as $foreignKey) {
if (count($foreignKey["source"]) == 1) {
$name = $this->rowDescription($foreignKey["table"]);
if ($name != "") {
$id = idf_escape($foreignKey["target"][0]);
return array($foreignKey["table"], $id, $name);
if (isset($foreignKeys[$column])) {
foreach ((array) $foreignKeys[$column] as $foreignKey) {
if (count($foreignKey["source"]) == 1) {
$name = $this->rowDescription($foreignKey["table"]);
if ($name != "") {
$id = idf_escape($foreignKey["target"][0]);
return array($foreignKey["table"], $id, $name);
}
}
}
}

View file

@ -11,7 +11,7 @@ $GLOBALS['project'] = basename(dirname(__FILE__));
include "../adminer/include/bootstrap.inc.php";
$drivers[DRIVER] = lang('Login');
if (isset($_GET["select"]) && ($_POST["edit"] || $_POST["clone"]) && !$_POST["save"]) {
if (isset($_GET["select"]) && ((isset($_POST["edit"]) && $_POST["edit"]) || (isset($_POST["clone"]) && $_POST["clone"])) && (isset($_POST["save"]) === false || !$_POST["save"])) {
$_GET["edit"] = $_GET["select"];
}