diff --git a/edit.inc.php b/edit.inc.php index df229ef3..621c0da2 100644 --- a/edit.inc.php +++ b/edit.inc.php @@ -14,33 +14,10 @@ if ($_POST && !$error) { } else { $set = array(); foreach ($fields as $name => $field) { - $key = bracket_escape($name); - $val = $_POST["fields"][$key]; - if (preg_match('~char|text|set|binary|blob~', $field["type"]) ? $_POST["null"][$key] : !strlen($val)) { - $val = "NULL"; - } elseif ($field["type"] == "enum") { - $val = (isset($_GET["default"]) && preg_match_all("~'((?:[^']*|'')+)'~", $field["length"], $matches) ? "'" . $matches[1][$val-1] . "'" : intval($val)); - } elseif ($field["type"] == "set") { - if (!isset($_GET["default"])) { - $val = array_sum((array) $val); - } else { - preg_match_all("~'((?:[^']*|'')+)'~", $field["length"], $matches); - $value = array(); - foreach ((array) $val as $key => $v) { - $value[] = $matches[1][$key]; - } - $val = "'" . implode(",", $value) . "'"; - } - } elseif (preg_match('~binary|blob~', $field["type"])) { - $file = get_file($key); - if (!is_string($file) && !$field["null"]) { - continue; //! report errors, also empty $_POST - not only because of file upload - } - $val = "_binary'" . (is_string($file) ? mysql_real_escape_string($file) : "") . "'"; - } else { - $val = "'" . mysql_real_escape_string($val) . "'"; + $val = process_input($name, $field); + if ($val !== false) { + $set[] = idf_escape($name) . (isset($_GET["default"]) ? ($val == "NULL" ? " DROP DEFAULT" : " SET DEFAULT $val") : " = $val"); } - $set[] = idf_escape($name) . (isset($_GET["default"]) ? ($val == "NULL" ? " DROP DEFAULT" : " SET DEFAULT $val") : " = $val"); } if (isset($_GET["default"])) { $query = "ALTER TABLE " . idf_escape($_GET["edit"]) . " ALTER " . implode(", ALTER ", $set); @@ -78,54 +55,27 @@ if ($_POST) { unset($data); } ?> +
-\n" : ""); foreach ($fields as $name => $field) { - $save_possible = true; echo "\n"; } +echo ($fields ? "
" . htmlspecialchars($name) . ""; - $value = (isset($data) ? $data[$name] : $field["default"]); - $name = htmlspecialchars($_POST ? $name : bracket_escape($name)); - if ($field["type"] == "enum") { - if (!isset($_GET["default"])) { - echo ''; - } - preg_match_all("~'((?:[^']*|'')+)'~", $field["length"], $matches); - foreach ($matches[1] as $i => $val) { - $id = "field-$name-" . ($i+1); - $checked = (isset($data) ? $value == $i+1 : $val === $field["default"]); - echo ' '; - } - if ($field["null"]) { - $id = "field-$name-"; - echo ' '; - } - } elseif ($field["type"] == "set") { //! 64 bits - preg_match_all("~'((?:[^']*|'')+)'~", $field["length"], $matches); - foreach ($matches[1] as $i => $val) { - $id = "$name-" . ($i+1); - $checked = (isset($data) ? ($value >> $i) & 1 : in_array(str_replace("''", "'", $val), explode(",", $field["default"]), true)); - echo ' '; - } - } elseif (strpos($field["type"], "text") !== false) { - echo ''; - } elseif (preg_match('~binary|blob~', $field["type"])) { - echo (ini_get("file_uploads") ? '' : lang('File uploads are disabled.') . ' '); - } else { //! binary - echo ''; - } - if ($field["null"] && preg_match('~char|text|set|binary|blob~', $field["type"])) { - echo ''; + if (!isset($data)) { + $value = $field["default"]; + } elseif (strlen($data[$name]) && ($field["type"] == "enum" || $field["type"] == "set")) { + $value = intval($data[$name]); + } else { + $value = $data[$name]; } + input($name, $field, $value); echo "
\n" : ""); ?> -

- + diff --git a/functions.inc.php b/functions.inc.php index cb588213..0520fc24 100644 --- a/functions.inc.php +++ b/functions.inc.php @@ -8,7 +8,7 @@ function idf_unescape($idf) { } function bracket_escape($idf, $back = false) { - static $trans = array(':' => ':1', ']' => ':2'); + static $trans = array(':' => ':1', ']' => ':2', '[' => ':3'); return strtr($idf, ($back ? array_flip($trans) : $trans)); } @@ -236,6 +236,70 @@ function select($result) { } echo "\n"; } + mysql_free_result($result); +} + +function input($name, $field, $value) { + static $types; + if (!isset($types)) { + $types = types(); + } + $name = htmlspecialchars(bracket_escape($name)); + if ($field["type"] == "enum") { + if (!isset($_GET["default"])) { + echo ''; + } + preg_match_all("~'((?:[^']*|'')+)'~", $field["length"], $matches); + foreach ($matches[1] as $i => $val) { + $val = str_replace("''", "'", $val); + $id = "field-$name-" . ($i+1); + $checked = (is_int($value) ? $value == $i+1 : $value === $val); //! '' collide with NULL in $_GET["default"] + echo ' '; + } + if ($field["null"]) { + $id = "field-$name-"; + echo ' '; + } + } elseif ($field["type"] == "set") { //! 64 bits + preg_match_all("~'((?:[^']*|'')+)'~", $field["length"], $matches); + foreach ($matches[1] as $i => $val) { + $val = str_replace("''", "'", $val); + $id = "field-$name-" . ($i+1); + $checked = (is_int($value) ? ($value >> $i) & 1 : in_array($val, explode(",", $value), true)); + echo ' '; + } + } elseif (strpos($field["type"], "text") !== false) { + echo ''; + } elseif (preg_match('~binary|blob~', $field["type"])) { + echo (ini_get("file_uploads") ? '' : lang('File uploads are disabled.') . ' '); + } else { + echo ''; + } + if ($field["null"] && preg_match('~char|text|set|binary|blob~', $field["type"])) { + $id = "null-$name"; + echo ''; + } +} + +function process_input($name, $field) { + $name = bracket_escape($name); + $return = $_POST["fields"][$name]; + if (preg_match('~char|text|set|binary|blob~', $field["type"]) ? $_POST["null"][$name] : !strlen($return)) { + $return = "NULL"; + } elseif ($field["type"] == "enum") { + $return = (isset($_GET["default"]) ? "'" . mysql_real_escape_string($return) . "'" : intval($return)); + } elseif ($field["type"] == "set") { + $return = (isset($_GET["default"]) ? "'" . implode(",", array_map('mysql_real_escape_string', (array) $return)) . "'" : array_sum((array) $return)); + } elseif (preg_match('~binary|blob~', $field["type"])) { + $file = get_file($name); + if (!is_string($file) && !$field["null"]) { + return false; //! report errors, also empty $_POST (too big POST data, not only FILES) + } + $return = "_binary'" . (is_string($file) ? mysql_real_escape_string($file) : "") . "'"; + } else { + $return = "'" . mysql_real_escape_string($return) . "'"; + } + return $return; } if (get_magic_quotes_gpc()) { diff --git a/sql.inc.php b/sql.inc.php index 2fb600fc..3d6d88a1 100644 --- a/sql.inc.php +++ b/sql.inc.php @@ -24,13 +24,14 @@ if ($_POST && $error) { if (!$result) { echo "

" . lang('Error in query') . ": " . htmlspecialchars(mysql_error()) . "

\n"; } elseif ($result === true) { - //~ if (token_delete()) { - //~ $token = token(); - //~ } + /* more secure but less user-friendly + if (token_delete()) { + $token = token(); + } + */ echo "

" . lang('Query executed OK, %d row(s) affected.', mysql_affected_rows()) . "

\n"; } else { select($result); - mysql_free_result($result); } } } @@ -42,6 +43,7 @@ if ($_POST && $error) { echo "

" . lang('Unable to upload a file.') . "

\n"; } ?> +