Browse code

Fix of bugs #554 and #553

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@1133 87cf0b9e-d624-0410-a070-f6ee81989793

bernd authored on13/08/2008 07:09:26
Showing2 changed files
... ...
@@ -14,6 +14,8 @@ if (isset($_GET['action']))
14 14
   switch ($_GET['action'])
15 15
   {
16 16
     case 'delete_db':
17
+      if (! has_mysql_database($_GET['db']))
18
+        system_failure('Ungültige Datenbank');
17 19
       $sure = user_is_sure();
18 20
       if ($sure === NULL)
19 21
       {
... ...
@@ -33,6 +35,8 @@ if (isset($_GET['action']))
33 35
       }
34 36
       break;
35 37
     case 'delete_user':
38
+      if (! has_mysql_username($_GET['user']))
39
+        system_failure('Ungültiger Benutzer');
36 40
       $sure = user_is_sure();
37 41
       if ($sure === NULL)
38 42
       {
... ...
@@ -52,6 +56,8 @@ if (isset($_GET['action']))
52 56
       }
53 57
       break;
54 58
     case 'change_pw':
59
+      if (! has_mysql_username($_POST['mysql_username']))
60
+        system_failure('Ungültiger Benutzer');
55 61
       check_form_token('mysql_databases');
56 62
       set_mysql_password($_POST['mysql_username'], $_POST['mysql_password']);
57 63
       header("Location: ?");
... ...
@@ -129,7 +135,7 @@ if ($output_something)
129 135
 
130 136
   foreach($dbs as $db)
131 137
   {
132
-    $form .= "<tr><td style=\"border: 0px; font-weight: bold; text-align: right;\">{$db}&#160;".internal_link("", "<img src=\"{$prefix}images/delete.png\" title=\"Datenbank »{$db}« löschen\" alt=\"löschen\" />", "action=delete_db&amp;db={$db}")."</td>";
138
+    $form .= "<tr><td style=\"border: 0px; font-weight: bold; text-align: right;\">{$db}&#160;".internal_link("", "<img src=\"{$prefix}images/delete.png\" title=\"Datenbank »{$db}« löschen\" alt=\"löschen\" />", "action=delete_db&db={$db}")."</td>";
133 139
     foreach ($users as $user)
134 140
       $form .= '<td style="text-align: center;"><input type="checkbox" id="'.$db.'_'.$user.'" name="access['.$db.'][]" value="'.$user.'" '.(get_mysql_access($db, $user) ? 'checked="checked" ' : '')." /></td>";
135 141
     $form .= "</tr>\n";
... ...
@@ -147,4 +147,22 @@ function set_mysql_password($username, $password)
147 147
 }
148 148
 
149 149
 
150
+function has_mysql_database($dbname)
151
+{
152
+  $uid = $_SESSION['userinfo']['uid'];
153
+  $dbname = mysql_real_escape_string($dbname);
154
+  $result = db_query("SELECT NULL FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
155
+  return (mysql_num_rows($result) == 1);
156
+}
157
+
158
+
159
+function has_mysql_user($username)
160
+{
161
+  $uid = $_SESSION['userinfo']['uid'];
162
+  $userame = mysql_real_escape_string($username);
163
+  $result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
164
+  return (mysql_num_rows($result) == 1);
165
+}
166
+
167
+
150 168
 ?>