| 250 |
kaklik |
1 |
<?php |
|
|
2 |
/* $Id: tbl_replace_fields.inc.php,v 1.5 2006/01/17 17:02:31 cybot_tm Exp $ */ |
|
|
3 |
// vim: expandtab sw=4 ts=4 sts=4: |
|
|
4 |
|
|
|
5 |
// note: grab_globals has extracted the fields from _FILES |
|
|
6 |
// or HTTP_POST_FILES |
|
|
7 |
|
|
|
8 |
// Check parameters |
|
|
9 |
|
|
|
10 |
require_once('./libraries/common.lib.php'); |
|
|
11 |
|
|
|
12 |
PMA_checkParameters(array('db', 'encoded_key')); |
|
|
13 |
|
|
|
14 |
|
|
|
15 |
// f i e l d u p l o a d e d f r o m a f i l e |
|
|
16 |
|
|
|
17 |
// garvin: original if-clause checked, whether input was stored in a possible fields_upload_XX var. |
|
|
18 |
// Now check, if the field is set. If it is empty or a malicious file, do not alter fields contents. |
|
|
19 |
// If an empty or invalid file is specified, the binary data gets deleter. Maybe a nice |
|
|
20 |
// new text-variable is appropriate to document this behaviour. |
|
|
21 |
|
|
|
22 |
// garvin: security cautions! You could trick the form and submit any file the webserver has access to |
|
|
23 |
// for upload to a binary field. Shouldn't be that easy! ;) |
|
|
24 |
|
|
|
25 |
// garvin: default is to advance to the field-value parsing. Will only be set to true when a |
|
|
26 |
// binary file is uploaded, thus bypassing further manipulation of $val. |
|
|
27 |
|
|
|
28 |
$check_stop = false; |
|
|
29 |
|
|
|
30 |
// Check if a multi-edit row was found |
|
|
31 |
${'me_fields_upload_' . $encoded_key} = (isset($enc_primary_key) && isset(${'fields_upload_' . $encoded_key}['multi_edit']) ? ${'fields_upload_' . $encoded_key}['multi_edit'][$enc_primary_key] : (isset(${'fields_upload_' . $encoded_key}) ? ${'fields_upload_' . $encoded_key} : null)); |
|
|
32 |
${'me_fields_uploadlocal_' . $encoded_key} = (isset($enc_primary_key) && isset(${'fields_uploadlocal_' . $encoded_key}['multi_edit']) ? ${'fields_uploadlocal_' . $encoded_key}['multi_edit'][$enc_primary_key] : (isset(${'fields_uploadlocal_' . $encoded_key}) ? ${'fields_uploadlocal_' . $encoded_key} : null)); |
|
|
33 |
|
|
|
34 |
if (isset(${'me_fields_upload_' . $encoded_key}) && ${'me_fields_upload_' . $encoded_key} != 'none'){ |
|
|
35 |
// garvin: This fields content is a blob-file upload. |
|
|
36 |
|
|
|
37 |
if (!empty(${'me_fields_upload_' . $encoded_key})) { |
|
|
38 |
// garvin: The blob-field is not empty. Check what we have there. |
|
|
39 |
|
|
|
40 |
$data_file = ${'me_fields_upload_' . $encoded_key}; |
|
|
41 |
|
|
|
42 |
if (is_uploaded_file($data_file)) { |
|
|
43 |
// garvin: A valid uploaded file is found. Look into the file... |
|
|
44 |
|
|
|
45 |
$val = fread(fopen($data_file, 'rb'), filesize($data_file)); |
|
|
46 |
// nijel: This is probably the best way how to put binary data |
|
|
47 |
// into MySQL and it also allow not to care about charset |
|
|
48 |
// conversion that would otherwise corrupt the data. |
|
|
49 |
|
|
|
50 |
if (!empty($val)) { |
|
|
51 |
// garvin: The upload was valid. Check in new blob-field's contents. |
|
|
52 |
$val = '0x' . bin2hex($val); |
|
|
53 |
$seen_binary = TRUE; |
|
|
54 |
$check_stop = TRUE; |
|
|
55 |
} |
|
|
56 |
// garvin: ELSE: an empty file was uploaded. Remove blob-field's contents. |
|
|
57 |
// Blob-fields are preserved, see below. ($protected$) |
|
|
58 |
|
|
|
59 |
} else { |
|
|
60 |
// garvin: Danger, will robinson. File is malicious. Blob-fields are preserved, see below. ($protected$) |
|
|
61 |
// void |
|
|
62 |
} |
|
|
63 |
|
|
|
64 |
} elseif (!empty(${'me_fields_uploadlocal_' . $encoded_key})) { |
|
|
65 |
$file_to_upload = PMA_userDir($cfg['UploadDir']) . preg_replace('@\.\.*@', '.', ${'me_fields_uploadlocal_' . $encoded_key}); |
|
|
66 |
|
|
|
67 |
// A local file will be uploaded. |
|
|
68 |
$open_basedir = @ini_get('open_basedir'); |
|
|
69 |
|
|
|
70 |
// If we are on a server with open_basedir, we must move the file |
|
|
71 |
// before opening it. The doc explains how to create the "./tmp" |
|
|
72 |
// directory |
|
|
73 |
|
|
|
74 |
$unlink = false; |
|
|
75 |
if (!empty($open_basedir)) { |
|
|
76 |
|
|
|
77 |
$tmp_subdir = (PMA_IS_WINDOWS ? '.\\tmp\\' : './tmp/'); |
|
|
78 |
|
|
|
79 |
// function is_writeable() is valid on PHP3 and 4 |
|
|
80 |
if (!is_writeable($tmp_subdir)) { |
|
|
81 |
// if we cannot move the file don't change blob fields |
|
|
82 |
$file_to_upload = ''; |
|
|
83 |
} else { |
|
|
84 |
$new_file_to_upload = $tmp_subdir . basename($file_to_upload); |
|
|
85 |
move_uploaded_file($file_to_upload, $new_file_to_upload); |
|
|
86 |
|
|
|
87 |
$file_to_upload = $new_file_to_upload; |
|
|
88 |
$unlink = true; |
|
|
89 |
} |
|
|
90 |
} |
|
|
91 |
|
|
|
92 |
if ($file_to_upload != '') { |
|
|
93 |
|
|
|
94 |
$val = fread(fopen($file_to_upload, 'rb'), filesize($file_to_upload)); |
|
|
95 |
if (!empty($val)) { |
|
|
96 |
$val = '0x' . bin2hex($val); |
|
|
97 |
$seen_binary = TRUE; |
|
|
98 |
$check_stop = TRUE; |
|
|
99 |
} |
|
|
100 |
|
|
|
101 |
if ($unlink == TRUE) { |
|
|
102 |
unlink($file_to_upload); |
|
|
103 |
} |
|
|
104 |
} |
|
|
105 |
|
|
|
106 |
} |
|
|
107 |
// garvin: else: Post-field contains no data. Blob-fields are preserved, see below. ($protected$) |
|
|
108 |
|
|
|
109 |
} |
|
|
110 |
|
|
|
111 |
if (!$check_stop) { |
|
|
112 |
|
|
|
113 |
// f i e l d v a l u e i n t h e f o r m |
|
|
114 |
|
|
|
115 |
if (isset($me_fields_type[$encoded_key])) { |
|
|
116 |
$type = $me_fields_type[$encoded_key]; |
|
|
117 |
} else { |
|
|
118 |
$type = ''; |
|
|
119 |
} |
|
|
120 |
|
|
|
121 |
$f = 'field_' . md5($key); |
|
|
122 |
$t_fval = (isset($$f) ? $$f : null); |
|
|
123 |
|
|
|
124 |
if (isset($t_fval['multi_edit']) && isset($t_fval['multi_edit'][$enc_primary_key])) { |
|
|
125 |
$fval = &$t_fval['multi_edit'][$enc_primary_key]; |
|
|
126 |
} else { |
|
|
127 |
$fval = null; |
|
|
128 |
} |
|
|
129 |
|
|
|
130 |
switch (strtolower($val)) { |
|
|
131 |
// let users type NULL or null to input this string and not a NULL value |
|
|
132 |
//case 'null': |
|
|
133 |
// break; |
|
|
134 |
case '': |
|
|
135 |
switch ($type) { |
|
|
136 |
case 'enum': |
|
|
137 |
// if we have an enum, then construct the value |
|
|
138 |
if (!empty($fval)) { |
|
|
139 |
$val = implode(',', $fval); |
|
|
140 |
if ($val == 'null') { |
|
|
141 |
// void |
|
|
142 |
} else { |
|
|
143 |
// the data here is urlencoded |
|
|
144 |
$val = "'" . PMA_sqlAddslashes(urldecode($val)) . "'"; |
|
|
145 |
} |
|
|
146 |
} else { |
|
|
147 |
$val = "''"; |
|
|
148 |
} |
|
|
149 |
break; |
|
|
150 |
case 'set': |
|
|
151 |
// if we have a set, then construct the value |
|
|
152 |
if (!empty($fval)) { |
|
|
153 |
$val = implode(',', $fval); |
|
|
154 |
// the data here is urlencoded |
|
|
155 |
$val = "'" . PMA_sqlAddslashes(urldecode($val)) . "'"; |
|
|
156 |
} else { |
|
|
157 |
$val = "''"; |
|
|
158 |
} |
|
|
159 |
break; |
|
|
160 |
case 'foreign': |
|
|
161 |
// if we have a foreign key, then construct the value |
|
|
162 |
if (!empty($fval)) { |
|
|
163 |
$val = implode(',', $fval); |
|
|
164 |
if ($val == 'null') { |
|
|
165 |
// void |
|
|
166 |
} else { |
|
|
167 |
// the data here is not urlencoded! |
|
|
168 |
//$val = "'" . PMA_sqlAddslashes(urldecode($val)) . "'"; |
|
|
169 |
$val = "'" . PMA_sqlAddslashes($val) . "'"; |
|
|
170 |
} |
|
|
171 |
} else { |
|
|
172 |
$val = "''"; |
|
|
173 |
} |
|
|
174 |
break; |
|
|
175 |
case 'protected': |
|
|
176 |
// here we are in protected mode (asked in the config) |
|
|
177 |
// so tbl_change has put this special value in the |
|
|
178 |
// fields array, so we do not change the field value |
|
|
179 |
// but we can still handle field upload |
|
|
180 |
|
|
|
181 |
// garvin: when in UPDATE mode, do not alter field's contents. When in INSERT |
|
|
182 |
// mode, insert empty field because no values were submitted. If protected |
|
|
183 |
// blobs where set, insert original fields content. |
|
|
184 |
if (isset($fieldlist)) { |
|
|
185 |
if (isset($prot_row) && isset($prot_row[$key]) && !empty($prot_row[$key])) { |
|
|
186 |
$val = '0x' . bin2hex($prot_row[$key]); |
|
|
187 |
$seen_binary = TRUE; |
|
|
188 |
} else { |
|
|
189 |
$val = "''"; |
|
|
190 |
} |
|
|
191 |
} else { |
|
|
192 |
unset($val); |
|
|
193 |
} |
|
|
194 |
|
|
|
195 |
break; |
|
|
196 |
default: |
|
|
197 |
// best way to avoid problems in strict mode (works also in non-strict mode) |
|
|
198 |
if (isset($me_auto_increment) && isset($me_auto_increment[$encoded_key])) { |
|
|
199 |
$val = 'NULL'; |
|
|
200 |
} else { |
|
|
201 |
$val = "'" . PMA_sqlAddslashes($val) . "'"; |
|
|
202 |
} |
|
|
203 |
break; |
|
|
204 |
} |
|
|
205 |
break; |
|
|
206 |
default: |
|
|
207 |
if (!($type == 'timestamp' && $val == 'CURRENT_TIMESTAMP')) { |
|
|
208 |
$val = "'" . PMA_sqlAddslashes($val) . "'"; |
|
|
209 |
} |
|
|
210 |
break; |
|
|
211 |
} // end switch |
|
|
212 |
|
|
|
213 |
// Was the Null checkbox checked for this field? |
|
|
214 |
// (if there is a value, we ignore the Null checkbox: this could |
|
|
215 |
// be possible if Javascript is disabled in the browser) |
|
|
216 |
if (isset($me_fields_null) && isset($me_fields_null[$encoded_key]) |
|
|
217 |
&& $val=="''") { |
|
|
218 |
$val = 'NULL'; |
|
|
219 |
} |
|
|
220 |
|
|
|
221 |
// The Null checkbox was unchecked for this field |
|
|
222 |
if (empty($val) && isset($me_fields_null_prev) && isset($me_fields_null_prev[$encoded_key]) && !isset($me_fields_null[$encoded_key])) { |
|
|
223 |
$val = "''"; |
|
|
224 |
} |
|
|
225 |
} // end else (field value in the form) |
|
|
226 |
?> |