Fix of bugs #554 and #553 (db87f22) - webinterface.git

Fix of bugs #554 and #553

bernd commited on 2008-08-13 07:09:26
Zeige 2 geänderte Dateien mit 25 Einfügungen und 1 Löschungen.

git-svn-id: https://svn.schokokeks.org/repos/tools/webinterface/trunk@1133 87cf0b9e-d624-0410-a070-f6ee81989793

modules/mysql/databases.php 14fdbc9..d1c144f
modules/mysql/include/mysql.php 491c79a..00b7e0c

modules/mysql/databases.php

Zeige Datei @ db87f22

@@ -14,6 +14,8 @@ if (isset($_GET['action']))
   switch ($_GET['action'])
   {
     case 'delete_db':
+      if (! has_mysql_database($_GET['db']))
+        system_failure('Ungültige Datenbank');
       $sure = user_is_sure();
       if ($sure === NULL)
       {
@@ -33,6 +35,8 @@ if (isset($_GET['action']))
       }
       break;
     case 'delete_user':
+      if (! has_mysql_username($_GET['user']))
+        system_failure('Ungültiger Benutzer');
       $sure = user_is_sure();
       if ($sure === NULL)
       {
@@ -52,6 +56,8 @@ if (isset($_GET['action']))
       }
       break;
     case 'change_pw':
+      if (! has_mysql_username($_POST['mysql_username']))
+        system_failure('Ungültiger Benutzer');
       check_form_token('mysql_databases');
       set_mysql_password($_POST['mysql_username'], $_POST['mysql_password']);
       header("Location: ?");
@@ -129,7 +135,7 @@ if ($output_something)
 
   foreach($dbs as $db)
   {
-    $form .= "<tr><td style=\"border: 0px; font-weight: bold; text-align: right;\">{$db}&#160;".internal_link("", "<img src=\"{$prefix}images/delete.png\" title=\"Datenbank »{$db}« löschen\" alt=\"löschen\" />", "action=delete_db&amp;db={$db}")."</td>";
+    $form .= "<tr><td style=\"border: 0px; font-weight: bold; text-align: right;\">{$db}&#160;".internal_link("", "<img src=\"{$prefix}images/delete.png\" title=\"Datenbank »{$db}« löschen\" alt=\"löschen\" />", "action=delete_db&db={$db}")."</td>";
     foreach ($users as $user)
       $form .= '<td style="text-align: center;"><input type="checkbox" id="'.$db.'_'.$user.'" name="access['.$db.'][]" value="'.$user.'" '.(get_mysql_access($db, $user) ? 'checked="checked" ' : '')." /></td>";
     $form .= "</tr>\n";

modules/mysql/include/mysql.php

Zeige Datei @ db87f22

@@ -147,4 +147,22 @@ function set_mysql_password($username, $password)
 }
 
 
+function has_mysql_database($dbname)
+{
+  $uid = $_SESSION['userinfo']['uid'];
+  $dbname = mysql_real_escape_string($dbname);
+  $result = db_query("SELECT NULL FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
+  return (mysql_num_rows($result) == 1);
+}
+
+
+function has_mysql_user($username)
+{
+  $uid = $_SESSION['userinfo']['uid'];
+  $userame = mysql_real_escape_string($username);
+  $result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
+  return (mysql_num_rows($result) == 1);
+}
+
+
 ?>


...	...	@@ -147,4 +147,22 @@ function set_mysql_password($username, $password)
147	147	}
148	148
149	149
	150	+function has_mysql_database($dbname)
	151	+{
	152	+ $uid = $_SESSION['userinfo']['uid'];
	153	+ $dbname = mysql_real_escape_string($dbname);
	154	+ $result = db_query("SELECT NULL FROM misc.mysql_database WHERE name='{$dbname}' AND useraccount='{$uid}' LIMIT 1;");
	155	+ return (mysql_num_rows($result) == 1);
	156	+}
	157	+
	158	+
	159	+function has_mysql_user($username)
	160	+{
	161	+ $uid = $_SESSION['userinfo']['uid'];
	162	+ $userame = mysql_real_escape_string($username);
	163	+ $result = db_query("SELECT NULL FROM misc.mysql_accounts WHERE username='{$username}' AND useraccount='{$uid}' LIMIT 1;");
	164	+ return (mysql_num_rows($result) == 1);
	165	+}
	166	+
	167	+
150	168	?>
151	169

...	...	@@ -14,6 +14,8 @@ if (isset($_GET['action']))
14	14	switch ($_GET['action'])
15	15	{
16	16	case 'delete_db':
	17	+ if (! has_mysql_database($_GET['db']))
	18	+ system_failure('Ungültige Datenbank');
17	19	$sure = user_is_sure();
18	20	if ($sure === NULL)
19	21	{
...	...	@@ -33,6 +35,8 @@ if (isset($_GET['action']))
33	35	}
34	36	break;
35	37	case 'delete_user':
	38	+ if (! has_mysql_username($_GET['user']))
	39	+ system_failure('Ungültiger Benutzer');
36	40	$sure = user_is_sure();
37	41	if ($sure === NULL)
38	42	{
...	...	@@ -52,6 +56,8 @@ if (isset($_GET['action']))
52	56	}
53	57	break;
54	58	case 'change_pw':
	59	+ if (! has_mysql_username($_POST['mysql_username']))
	60	+ system_failure('Ungültiger Benutzer');
55	61	check_form_token('mysql_databases');
56	62	set_mysql_password($_POST['mysql_username'], $_POST['mysql_password']);
57	63	header("Location: ?");
...	...	@@ -129,7 +135,7 @@ if ($output_something)
129	135
130	136	foreach($dbs as $db)
131	137	{
132		- $form .= "<tr><td style=\"border: 0px; font-weight: bold; text-align: right;\">{$db} ".internal_link("", "<img src=\"{$prefix}images/delete.png\" title=\"Datenbank »{$db}« löschen\" alt=\"löschen\" />", "action=delete_db&db={$db}")."</td>";
	138	+ $form .= "<tr><td style=\"border: 0px; font-weight: bold; text-align: right;\">{$db} ".internal_link("", "<img src=\"{$prefix}images/delete.png\" title=\"Datenbank »{$db}« löschen\" alt=\"löschen\" />", "action=delete_db&db={$db}")."</td>";
133	139	foreach ($users as $user)
134	140	$form .= '<td style="text-align: center;"><input type="checkbox" id="'.$db.'_'.$user.'" name="access['.$db.'][]" value="'.$user.'" '.(get_mysql_access($db, $user) ? 'checked="checked" ' : '')." /></td>";
135	141	$form .= "</tr>\n";