From 2f996ba014c139f804f4db1736deea1094816e2e Mon Sep 17 00:00:00 2001
From: Jakub Vrana <jakub@vrana.cz>
Date: Sat, 11 May 2013 12:47:04 -0700
Subject: [PATCH] Restrict editing rows without unique identifier to search
 results

---
 adminer/select.inc.php | 16 ++++++++--------
 changes.txt            |  1 +
 2 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/adminer/select.inc.php b/adminer/select.inc.php
index 07c2fbef..38356762 100644
--- a/adminer/select.inc.php
+++ b/adminer/select.inc.php
@@ -45,7 +45,11 @@ if ($_GET["val"] && is_ajax()) {
 }
 
 if ($_POST && !$error) {
-	$where_check = "(" . implode(") OR (", array_map('where_check', (array) $_POST["check"])) . ")";
+	$where_check = $where;
+	if (is_array($_POST["check"])) {
+		$where_check[] = "((" . implode(") OR (", array_map('where_check', $_POST["check"])) . "))";
+	}
+	$where_check = ($where_check ? "\nWHERE " . implode(" AND ", $where_check) : "");
 	$primary = $unselected = null;
 	foreach ($indexes as $index) {
 		if ($index["type"] == "PRIMARY") {
@@ -65,11 +69,7 @@ if ($_POST && !$error) {
 		dump_headers($TABLE);
 		$adminer->dumpTable($TABLE, "");
 		if (!is_array($_POST["check"]) || $unselected === array()) {
-			$where2 = $where;
-			if (is_array($_POST["check"])) {
-				$where2[] = "($where_check)";
-			}
-			$query = "SELECT $from" . ($where2 ? "\nWHERE " . implode(" AND ", $where2) : "") . $group_by;
+			$query = "SELECT $from$where_check$group_by";
 		} else {
 			$union = array();
 			foreach ($_POST["check"] as $val) {
@@ -112,12 +112,12 @@ if ($_POST && !$error) {
 					$query = "INTO $query";
 				}
 				if ($_POST["all"] || ($unselected === array() && $_POST["check"]) || $is_group) {
-					$result = queries("$command $query" . ($_POST["all"] ? ($where ? "\nWHERE " . implode(" AND ", $where) : "") : "\nWHERE $where_check"));
+					$result = queries("$command $query$where_check");
 					$affected = $connection->affected_rows;
 				} else {
 					foreach ((array) $_POST["check"] as $val) {
 						// where is not unique so OR can't be used
-						$result = queries($command . limit1($query, "\nWHERE " . where_check($val, $fields)));
+						$result = queries($command . limit1($query, "\nWHERE " . ($where ? implode(" AND ", $where) . " AND " : "") . where_check($val, $fields)));
 						if (!$result) {
 							break;
 						}
diff --git a/changes.txt b/changes.txt
index 676d01d1..b6dbc59a 100644
--- a/changes.txt
+++ b/changes.txt
@@ -9,6 +9,7 @@ Remove bzip2 compression support
 Constraint memory used in TAR export
 Allow exporting views dependent on each other (bug #3459151)
 Fix resetting search (bug #3612507)
+Restrict editing rows without unique identifier to search results
 Display navigation bellow main content on mobile browsers
 MySQL: Optimize create table page and Editor navigation
 MySQL: Display bit type as binary number