Context Navigation

Changeset 3774 for trunk/gui

Timestamp:

02/13/11 09:51:41 (16 months ago)

Author:

ShadowJumper

Message:

Location:

trunk/gui/tools/pma

Files:

-                      r3772
+                      r3774
 $Id$
 $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyAdmin/ChangeLog $
+.3.9.2 (2011-02-11)
+- [security] SQL injection, see PMASA-2011-2
 .3.9.1 (2011-02-08)

-                      r3772
+                      r3774
     <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <title>phpMyAdmin 3.3.9.1 - Documentation</title>
+    <title>phpMyAdmin 3.3.9.2 - Documentation</title>
     <link rel="stylesheet" type="text/css" href="docs.css" />
 </head>
 …
     <h1>
         <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a>
 .3.9.1
+.3.9.2
         Documentation
     </h1>

r3772	r3774
6	6	A set of PHP-scripts to manage MySQL over the web.
7	7
8		Version 3.3.9.1
	8	Version 3.3.9.2
9	9	---------------
10	10	http://www.phpmyadmin.net/

r3110	r3774
152	152	// Bookmark Support: get a query back from bookmark if required
153	153	if (!empty($id_bookmark)) {
	154	$id_bookmark = (int)$id_bookmark;
154	155	require_once './libraries/bookmark.lib.php';
155	156	switch ($action_bookmark) {

-                      r2840
+                      r3774
  * @param   string    which field to look up the $id
  * @param   boolean  TRUE: get all bookmarks regardless of the owning user
+ * @param   boolean   whether to ignore bookmarks with no user
+ *
  * @return  string    the sql query
 …
  * @access  public
  */
 function PMA_Bookmark_get($db, $id, $id_field = 'id', $action_bookmark_all = FALSE)
+function PMA_Bookmark_get($db, $id, $id_field = 'id', $action_bookmark_all = FALSE, $exact_user_match = FALSE)
+{
     global $controllink;
 …
     $query = 'SELECT query FROM ' . PMA_backquote($cfgBookmark['db']) . '.' . PMA_backquote($cfgBookmark['table'])
+        . ' WHERE dbase = \'' . PMA_sqlAddslashes($db) . '\''
+        . ($action_bookmark_all? '' : ' AND (user = \'' . PMA_sqlAddslashes($cfgBookmark['user']) . '\''
+        . '      OR user = \'\')')
+        . ' AND ' . PMA_backquote($id_field) . ' = ' . $id;
+        . ' WHERE dbase = \'' . PMA_sqlAddslashes($db) . '\'';
+    if (!$action_bookmark_all) {
+        $query .= ' AND (user = \'' . PMA_sqlAddslashes($cfgBookmark['user']) . '\'';
+        if (!$exact_user_match) {
+            $query .= ' OR user = \'\'';
+        }
+        $query .= ')';
+    }
+    $query .= ' AND ' . PMA_backquote($id_field) . ' = ' . $id;
     return PMA_DBI_fetch_value($query, 0, 0, $controllink);
 } // end of the 'PMA_Bookmark_get()' function

r3252	r3774
55	55	require_once './libraries/bookmark.lib.php';
56	56	$book_sql_query = PMA_Bookmark_get($db, '\'' . PMA_sqlAddslashes($table) . '\'',
57		'label');
	57	'label', FALSE, TRUE);
58	58
59	59	if (! empty($book_sql_query)) {

-                      r3772
+                      r3774
     <link rel="shortcut icon" href="./favicon.ico" type="image/x-icon" />
     <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
     <title>phpMyAdmin 3.3.9.1 - Official translators</title>
+    <title>phpMyAdmin 3.3.9.2 - Official translators</title>
     <link rel="stylesheet" type="text/css" href="docs.css" />
 </head>
 …
     <h1>
         <a href="http://www.phpmyadmin.net/">php<span class="myadmin">MyAdmin</span></a>
 .3.9.1
+.3.9.2
         official translators list
     </h1>

Note: See TracChangeset for help on using the changeset viewer.