</p>
</form>
<form action="">
-<p><?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo h($_GET["server"]); ?>"><?php } ?>
+<p>
+<?php if (SID) { ?><input type="hidden" name="<?php echo session_name(); ?>" value="<?php echo h(session_id()); ?>"><?php } ?>
+<?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo h($_GET["server"]); ?>"><?php } ?>
<?php if ($databases) { ?>
<select name="db" onchange="this.form.submit();"><option value="">(<?php echo lang('database'); ?>)<?php echo optionlist($databases, DB); ?></select>
<?php } else { ?>
<?php
$ignore = array("server", "username", "password");
$session_name = session_name();
-if (ini_get("session.use_trans_sid") && isset($_POST[$session_name])) {
- $ignore[] = $session_name;
-}
if (isset($_POST["server"])) {
- if (isset($_COOKIE[$session_name]) || isset($_POST[$session_name])) {
- session_regenerate_id(); // defense against session fixation
- $_SESSION["usernames"][$_POST["server"]] = $_POST["username"];
- $_SESSION["passwords"][$_POST["server"]] = $_POST["password"];
- $_SESSION["tokens"][$_POST["server"]] = rand(1, 1e6); // defense against cross-site request forgery
- if (count($_POST) == count($ignore)) {
- $location = ((string) $_GET["server"] === $_POST["server"] ? remove_from_uri() : preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . (strlen($_POST["server"]) ? '?server=' . urlencode($_POST["server"]) : ''));
- if (!isset($_COOKIE[$session_name])) {
- $location .= (strpos($location, "?") === false ? "?" : "&") . SID;
- }
- header("Location: " . (strlen($location) ? $location : "."));
- exit;
- }
- if ($_POST["token"]) {
- $_POST["token"] = $_SESSION["tokens"][$_POST["server"]];
+ session_regenerate_id(); // defense against session fixation
+ $_SESSION["usernames"][$_POST["server"]] = $_POST["username"];
+ $_SESSION["passwords"][$_POST["server"]] = $_POST["password"];
+ $_SESSION["tokens"][$_POST["server"]] = rand(1, 1e6); // defense against cross-site request forgery
+ if (count($_POST) == count($ignore)) {
+ $location = ((string) $_GET["server"] === $_POST["server"] ? remove_from_uri() : preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . (strlen($_POST["server"]) ? '?server=' . urlencode($_POST["server"]) : ''));
+ if (!isset($_COOKIE[$session_name])) {
+ $location .= (strpos($location, "?") === false ? "?" : "&") . SID;
}
+ header("Location: " . (strlen($location) ? $location : "."));
+ exit;
+ }
+ if ($_POST["token"]) {
+ $_POST["token"] = $_SESSION["tokens"][$_POST["server"]];
}
$_GET["server"] = $_POST["server"];
} elseif (isset($_POST["logout"])) {
if (!ini_get("session.auto_start")) {
// use specific session name to get own namespace
+ @ini_set("session.use_trans_sid", false); // @ - may be disabled
session_name("adminer_sid");
session_set_cookie_params(0, preg_replace('~\\?.*~', '', $_SERVER["REQUEST_URI"])); //! use HttpOnly in PHP 5
session_start();
@set_time_limit(0); // @ - can be disabled
define("DB", $_GET["db"]); // for the sake of speed and size
-define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . '?' . (strlen($_GET["server"]) ? 'server=' . urlencode($_GET["server"]) . '&' : '') . (strlen(DB) ? 'db=' . urlencode(DB) . '&' : ''));
+define("ME", preg_replace('~^[^?]*/([^?]*).*~', '\\1', $_SERVER["REQUEST_URI"]) . '?' . (SID ? SID . '&' : '') . (strlen($_GET["server"]) ? 'server=' . urlencode($_GET["server"]) . '&' : '') . (strlen(DB) ? 'db=' . urlencode(DB) . '&' : ''));
$on_actions = array("RESTRICT", "CASCADE", "SET NULL", "NO ACTION"); // used in foreign_keys()
include "../adminer/include/version.inc.php";
projects / adminer.git / commitdiff