beenull/adminerevo
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Prevent CSRF

Browse source 
git-svn-id: https://adminer.svn.sourceforge.net/svnroot/adminer/trunk@76 7c3ca157-0c34-0410-bff1-cbf682f78f5c
This commit is contained in:
jakubvrana 2007-07-06 18:08:17 +00:00
parent f90c7d8f50
commit 505b79d82c
1 changed files with 39 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
index.php
View file

@ -13,41 +13,53 @@ include "./connect.inc.php";
if (isset($_GET["dump"])) { if (isset($_GET["dump"])) {
include "./dump.inc.php"; include "./dump.inc.php";
} else { } else {
if (isset($_GET["sql"])) { if (isset($_GET["table"])) {
include "./sql.inc.php";
} elseif (isset($_GET["table"])) {
include "./table.inc.php"; include "./table.inc.php";
} elseif (isset($_GET["select"])) { } elseif (isset($_GET["select"])) {
include "./select.inc.php"; include "./select.inc.php";
} elseif (isset($_GET["edit"])) {
include "./edit.inc.php";
} elseif (isset($_GET["create"])) {
include "./create.inc.php";
} elseif (isset($_GET["indexes"])) {
include "./indexes.inc.php";
} elseif (isset($_GET["view"])) { } elseif (isset($_GET["view"])) {
include "./view.inc.php"; include "./view.inc.php";
} elseif (isset($_GET["database"])) {
include "./database.inc.php";
} else { } else {
page_header(htmlspecialchars(lang('Database') . ": " . $_GET["db"])); $params = preg_replace('~.*\\?~', '', $_SERVER["REQUEST_URI"]);
echo '<p><a href="' . htmlspecialchars($SELF) . 'database=">' . lang('Alter database') . "</a></p>\n"; if ($_POST) {
if (mysql_get_server_info() >= 5) { $error = (in_array($_POST["token"], (array) $_SESSION["tokens"][$params]) ? "" : lang('Invalid CSRF token.'));
$result = mysql_query("SELECT * FROM information_schema.ROUTINES WHERE ROUTINE_SCHEMA = '" . mysql_real_escape_string($_GET["db"]) . "'"); }
if (mysql_num_rows($result)) { if ($_POST && !$error) {
echo "<h2>" . lang('Routines') . "</h2>\n"; $token = $_POST["token"];
echo "<table border='0' cellspacing='0' cellpadding='2'>\n"; } else {
while ($row = mysql_fetch_assoc($result)) { $token = rand(1, 1e6);
echo "<tr valign='top'>"; $_SESSION["tokens"][$params][] = $token;
echo "<th>" . htmlspecialchars($row["ROUTINE_TYPE"]) . "</th>"; }
echo "<th>" . htmlspecialchars($row["ROUTINE_NAME"]) . "</th>"; //! parameters from SHOW CREATE {PROCEDURE|FUNCTION} if (isset($_GET["sql"])) {
echo "<td><pre>" . htmlspecialchars($row["ROUTINE_DEFINITION"]) . "</pre></td>"; include "./sql.inc.php";
echo "</tr>\n"; } elseif (isset($_GET["edit"])) {
//! call, drop, replace include "./edit.inc.php";
} elseif (isset($_GET["create"])) {
include "./create.inc.php";
} elseif (isset($_GET["indexes"])) {
include "./indexes.inc.php";
} elseif (isset($_GET["database"])) {
include "./database.inc.php";
} else {
unset($_SESSION["tokens"][$params]);
page_header(htmlspecialchars(lang('Database') . ": " . $_GET["db"]));
echo '<p><a href="' . htmlspecialchars($SELF) . 'database=">' . lang('Alter database') . "</a></p>\n";
if (mysql_get_server_info() >= 5) {
$result = mysql_query("SELECT * FROM information_schema.ROUTINES WHERE ROUTINE_SCHEMA = '" . mysql_real_escape_string($_GET["db"]) . "'");
if (mysql_num_rows($result)) {
echo "<h2>" . lang('Routines') . "</h2>\n";
echo "<table border='0' cellspacing='0' cellpadding='2'>\n";
while ($row = mysql_fetch_assoc($result)) {
echo "<tr valign='top'>";
echo "<th>" . htmlspecialchars($row["ROUTINE_TYPE"]) . "</th>";
echo "<th>" . htmlspecialchars($row["ROUTINE_NAME"]) . "</th>"; //! parameters from SHOW CREATE {PROCEDURE|FUNCTION}
echo "<td><pre>" . htmlspecialchars($row["ROUTINE_DEFINITION"]) . "</pre></td>";
echo "</tr>\n";
}
echo "</table>\n";
} }
echo "</table>\n"; mysql_free_result($result);
} }
mysql_free_result($result);
} }
} }
page_footer(); page_footer();