<?php
-page_header(lang('Call') . ": " . htmlspecialchars($_GET["call"]), $error);
+page_header(lang('Call') . ": " . h($_GET["call"]), $error);
$routine = routine($_GET["call"], (isset($_GET["callf"]) ? "FUNCTION" : "PROCEDURE"));
$in = array();
$val = "''";
}
if (isset($out[$key])) {
- $dbh->query("SET @" . idf_escape($field["field"]) . " = " . $val);
+ $dbh->query("SET @" . idf_escape($field["field"]) . " = $val");
}
}
$call[] = (isset($out[$key]) ? "@" . idf_escape($field["field"]) : $val);
}
$result = $dbh->multi_query((isset($_GET["callf"]) ? "SELECT" : "CALL") . " " . idf_escape($_GET["call"]) . "(" . implode(", ", $call) . ")");
if (!$result) {
- echo "<p class='error'>" . htmlspecialchars($dbh->error) . "\n";
+ echo "<p class='error'>" . h($dbh->error) . "\n";
} else {
do {
$result = $dbh->store_result();
echo "<table cellspacing='0'>\n";
foreach ($in as $key) {
$field = $routine["fields"][$key];
- echo "<tr><th>" . htmlspecialchars($field["field"]);
+ echo "<tr><th>" . h($field["field"]);
$value = $_POST["fields"][$key];
if (strlen($value) && ($field["type"] == "enum" || $field["type"] == "set")) {
$value = intval($value);
$suhosin = floor(extension_loaded("suhosin") ? (min(ini_get("suhosin.request.max_vars"), ini_get("suhosin.post.max_vars")) - 13) / 8 : 0);
if ($suhosin && count($row["fields"]) > $suhosin) {
- echo "<p class='error'>" . htmlspecialchars(lang('Maximum number of allowed fields exceeded. Please increase %s and %s.', 'suhosin.post.max_vars', 'suhosin.request.max_vars')) . "\n";
+ echo "<p class='error'>" . h(lang('Maximum number of allowed fields exceeded. Please increase %s and %s.', 'suhosin.post.max_vars', 'suhosin.request.max_vars')) . "\n";
}
?>
<form action="" method="post" id="form">
<p>
-<?php echo lang('Table name'); ?>: <input name="name" maxlength="64" value="<?php echo htmlspecialchars($row["name"]); ?>">
+<?php echo lang('Table name'); ?>: <input name="name" maxlength="64" value="<?php echo h($row["name"]); ?>">
<select name="Engine"><option value="">(<?php echo lang('engine'); ?>)<?php echo optionlist($engines, $row["Engine"]); ?></select>
<select name="Collation"><option value="">(<?php echo lang('collation'); ?>)<?php echo optionlist($collations, $row["Collation"]); ?></select>
<input type="submit" value="<?php echo lang('Save'); ?>">
</table>
<p>
<?php echo lang('Auto Increment'); ?>: <input name="Auto_increment" size="6" value="<?php echo intval($row["Auto_increment"]); ?>">
-<?php echo lang('Comment'); ?>: <input name="Comment" value="<?php echo htmlspecialchars($row["Comment"]); ?>" maxlength="60">
+<?php echo lang('Comment'); ?>: <input name="Comment" value="<?php echo h($row["Comment"]); ?>" maxlength="60">
<script type="text/javascript">// <![CDATA[
document.write('<label><input type="checkbox"<?php if ($column_comments) { ?> checked="checked"<?php } ?> onclick="column_comments_click(this.checked);"><?php echo lang('Show column comments'); ?></label>');
// ]]></script>
<fieldset><legend><?php echo lang('Partition by'); ?></legend>
<p>
<select name="partition_by" onchange="partition_by_change(this);"><option><?php echo optionlist($partition_by, $row["partition_by"]); ?></select>
-(<input name="partition" value="<?php echo htmlspecialchars($row["partition"]); ?>">)
-<?php echo lang('Partitions'); ?>: <input name="partitions" size="2" value="<?php echo htmlspecialchars($row["partitions"]); ?>"<?php echo ($partition_table || !$row["partition_by"] ? " class='hidden'" : ""); ?>>
+(<input name="partition" value="<?php echo h($row["partition"]); ?>">)
+<?php echo lang('Partitions'); ?>: <input name="partitions" size="2" value="<?php echo h($row["partitions"]); ?>"<?php echo ($partition_table || !$row["partition_by"] ? " class='hidden'" : ""); ?>>
<table cellspacing="0" id="partition-table"<?php echo ($partition_table ? "" : " class='hidden'"); ?>>
<thead><tr><th><?php echo lang('Partition name'); ?><th><?php echo lang('Values'); ?></thead>
<?php
foreach ($row["partition_names"] as $key => $val) {
echo '<tr>';
- echo '<td><input name="partition_names[]" value="' . htmlspecialchars($val) . '"' . ($key == count($row["partition_names"]) - 1 ? ' onchange="partition_name_change(this);"' : '') . '>';
- echo '<td><input name="partition_values[]" value="' . htmlspecialchars($row["partition_values"][$key]) . '">';
+ echo '<td><input name="partition_names[]" value="' . h($val) . '"' . ($key == count($row["partition_names"]) - 1 ? ' onchange="partition_name_change(this);"' : '') . '>';
+ echo '<td><input name="partition_values[]" value="' . h($row["partition_values"][$key]) . '">';
}
?>
</table>
<form action="" method="post">
<p>
<?php echo ($_POST["add_x"]
- ? '<textarea name="name" rows="10" cols="40">' . htmlspecialchars($name) . '</textarea><br>'
- : '<input name="name" value="' . htmlspecialchars($name) . '" maxlength="64">'
+ ? '<textarea name="name" rows="10" cols="40">' . h($name) . '</textarea><br>'
+ : '<input name="name" value="' . h($name) . '" maxlength="64">'
) . "\n"; ?>
<select name="collation"><option value="">(<?php echo lang('collation'); ?>)<?php echo optionlist($collations, $collate); ?></select>
<input type="hidden" name="token" value="<?php echo $token; ?>">
$message = lang('Tables have been dropped.');
} else {
while ($row = $result->fetch_assoc()) {
- $message .= htmlspecialchars("$row[Table]: $row[Msg_text]") . "<br>";
+ $message .= h("$row[Table]: $row[Msg_text]") . "<br>";
}
}
}
query_redirect(queries(), substr($SELF, 0, -1), $message, $result, false, !$result);
}
-page_header(lang('Database') . ": " . htmlspecialchars($_GET["db"]), $error, false);
-echo '<p><a href="' . htmlspecialchars($SELF) . 'database=">' . lang('Alter database') . "</a>\n";
-echo '<p><a href="' . htmlspecialchars($SELF) . 'schema=">' . lang('Database schema') . "</a>\n";
+page_header(lang('Database') . ": " . h($_GET["db"]), $error, false);
+echo '<p><a href="' . h($SELF) . 'database=">' . lang('Alter database') . "</a>\n";
+echo '<p><a href="' . h($SELF) . 'schema=">' . lang('Database schema') . "</a>\n";
echo "<h3>" . lang('Tables and views') . "</h3>\n";
$table_status = table_status();
foreach ($table_status as $row) {
$name = $row["Name"];
table_comment($row);
- echo '<tr' . odd() . '><td><input type="checkbox" name="' . (isset($row["Rows"]) ? 'tables' : 'views') . '[]" value="' . htmlspecialchars($name) . '"' . (in_array($name, $tables_views, true) ? ' checked="checked"' : '') . ' onclick="form_uncheck(\'check-all\');">';
- echo '<th><a href="' . htmlspecialchars($SELF) . 'table=' . urlencode($name) . '">' . htmlspecialchars($name) . '</a>';
+ echo '<tr' . odd() . '><td><input type="checkbox" name="' . (isset($row["Rows"]) ? 'tables' : 'views') . '[]" value="' . h($name) . '"' . (in_array($name, $tables_views, true) ? ' checked="checked"' : '') . ' onclick="form_uncheck(\'check-all\');">';
+ echo '<th><a href="' . h($SELF) . 'table=' . urlencode($name) . '">' . h($name) . '</a>';
if (isset($row["Rows"])) {
echo "<td>$row[Engine]<td>$row[Collation]";
foreach (array("Data_length" => "create", "Index_length" => "indexes", "Data_free" => "edit", "Auto_increment" => "create", "Rows" => "select") as $key => $link) {
$val = number_format($row[$key], 0, '.', lang(','));
- echo '<td align="right">' . (strlen($row[$key]) ? '<a href="' . htmlspecialchars("$SELF$link=") . urlencode($name) . '">' . str_replace(" ", " ", ($key == "Rows" && $row["Engine"] == "InnoDB" && $val ? lang('~ %s', $val) : $val)) . '</a>' : ' ');
+ echo '<td align="right">' . (strlen($row[$key]) ? '<a href="' . h("$SELF$link=") . urlencode($name) . '">' . str_replace(" ", " ", ($key == "Rows" && $row["Engine"] == "InnoDB" && $val ? lang('~ %s', $val) : $val)) . '</a>' : ' ');
}
- echo "<td>" . (strlen(trim($row["Comment"])) ? htmlspecialchars($row["Comment"]) : " ");
+ echo "<td>" . (strlen(trim($row["Comment"])) ? h($row["Comment"]) : " ");
} else {
- echo '<td colspan="8"><a href="' . htmlspecialchars($SELF) . "select=" . urlencode($name) . '">' . lang('View') . '</a>';
+ echo '<td colspan="8"><a href="' . h($SELF) . "select=" . urlencode($name) . '">' . lang('View') . '</a>';
}
}
echo "</table>\n";
$dbs = get_databases();
if (count($dbs) != 1) {
$db = (isset($_POST["target"]) ? $_POST["target"] : $_GET["db"]);
- echo "<p>" . lang('Move to other database') . ($dbs ? ": <select name='target'>" . optionlist($dbs, $db) . "</select>" : ': <input name="target" value="' . htmlspecialchars($db) . '">') . " <input type='submit' name='move' value='" . lang('Move') . "'>\n";
+ echo "<p>" . lang('Move to other database') . ($dbs ? ": <select name='target'>" . optionlist($dbs, $db) . "</select>" : ': <input name="target" value="' . h($db) . '">') . " <input type='submit' name='move' value='" . lang('Move') . "'>\n";
}
echo "</form>\n";
}
if ($dbh->server_info >= 5) {
- echo '<p><a href="' . htmlspecialchars($SELF) . 'view=">' . lang('Create view') . "</a>\n";
+ echo '<p><a href="' . h($SELF) . 'view=">' . lang('Create view') . "</a>\n";
echo "<h3>" . lang('Routines') . "</h3>\n";
$result = $dbh->query("SELECT * FROM information_schema.ROUTINES WHERE ROUTINE_SCHEMA = " . $dbh->quote($_GET["db"]));
if ($result->num_rows) {
echo "<table cellspacing='0'>\n";
while ($row = $result->fetch_assoc()) {
echo "<tr>";
- echo "<td>" . htmlspecialchars($row["ROUTINE_TYPE"]);
- echo '<th><a href="' . htmlspecialchars($SELF) . ($row["ROUTINE_TYPE"] == "FUNCTION" ? 'callf=' : 'call=') . urlencode($row["ROUTINE_NAME"]) . '">' . htmlspecialchars($row["ROUTINE_NAME"]) . '</a>';
- echo '<td><a href="' . htmlspecialchars($SELF) . ($row["ROUTINE_TYPE"] == "FUNCTION" ? 'function=' : 'procedure=') . urlencode($row["ROUTINE_NAME"]) . '">' . lang('Alter') . "</a>";
+ echo "<td>" . h($row["ROUTINE_TYPE"]);
+ echo '<th><a href="' . h($SELF) . ($row["ROUTINE_TYPE"] == "FUNCTION" ? 'callf=' : 'call=') . urlencode($row["ROUTINE_NAME"]) . '">' . h($row["ROUTINE_NAME"]) . '</a>';
+ echo '<td><a href="' . h($SELF) . ($row["ROUTINE_TYPE"] == "FUNCTION" ? 'function=' : 'procedure=') . urlencode($row["ROUTINE_NAME"]) . '">' . lang('Alter') . "</a>";
}
echo "</table>\n";
}
$result->free();
- echo '<p><a href="' . htmlspecialchars($SELF) . 'procedure=">' . lang('Create procedure') . '</a> <a href="' . htmlspecialchars($SELF) . 'function=">' . lang('Create function') . "</a>\n";
+ echo '<p><a href="' . h($SELF) . 'procedure=">' . lang('Create procedure') . '</a> <a href="' . h($SELF) . 'function=">' . lang('Create function') . "</a>\n";
}
if ($dbh->server_info >= 5.1 && ($result = $dbh->query("SHOW EVENTS"))) {
echo "<thead><tr><th>" . lang('Name') . "<td>" . lang('Schedule') . "<td>" . lang('Start') . "<td>" . lang('End') . "</thead>\n";
while ($row = $result->fetch_assoc()) {
echo "<tr>";
- echo '<th><a href="' . htmlspecialchars($SELF) . 'event=' . urlencode($row["Name"]) . '">' . htmlspecialchars($row["Name"]) . "</a>";
+ echo '<th><a href="' . h($SELF) . 'event=' . urlencode($row["Name"]) . '">' . h($row["Name"]) . "</a>";
echo "<td>" . ($row["Execute at"] ? lang('At given time') . "<td>" . $row["Execute at"] : lang('Every') . " " . $row["Interval value"] . " " . $row["Interval field"] . "<td>$row[Starts]");
echo "<td>$row[Ends]";
}
echo "</table>\n";
}
$result->free();
- echo '<p><a href="' . htmlspecialchars($SELF) . 'event=">' . lang('Create event') . "</a>\n";
+ echo '<p><a href="' . h($SELF) . 'event=">' . lang('Create event') . "</a>\n";
}
$views = "";
foreach (table_status() as $row) {
$checked = (strlen($_GET["dump"]) && $row["Name"] != $_GET["dump"] ? '' : " checked='checked'");
- $print = '<tr><td><label><input type="checkbox" name="tables[]" value="' . htmlspecialchars($row["Name"]) . "\"$checked onclick=\"form_uncheck('check-tables');\">" . htmlspecialchars($row["Name"]) . "</label>";
+ $print = "<tr><td><label><input type='checkbox' name='tables[]' value='" . h($row["Name"]) . "'$checked onclick=\"form_uncheck('check-tables');\">" . h($row["Name"]) . "</label>";
if (!$row["Engine"]) {
$views .= "$print\n";
} else {
- echo "$print<td align='right'><label>" . ($row["Engine"] == "InnoDB" && $row["Rows"] ? lang('~ %s', $row["Rows"]) : $row["Rows"]) . '<input type="checkbox" name="data[]" value="' . htmlspecialchars($row["Name"]) . "\"$checked onclick=\"form_uncheck('check-data');\"></label>\n";
+ echo "$print<td align='right'><label>" . ($row["Engine"] == "InnoDB" && $row["Rows"] ? lang('~ %s', $row["Rows"]) : $row["Rows"]) . "<input type='checkbox' name='data[]' value='" . h($row["Name"]) . "'$checked onclick=\"form_uncheck('check-data');\"></label>\n";
}
}
echo $views;
echo "<thead><tr><th style='text-align: left;'><label><input type='checkbox' id='check-databases' checked='checked' onclick='form_check(this, /^databases\\[/);'>" . lang('Database') . "</label></thead>\n";
foreach (get_databases() as $db) {
if (!information_schema($db)) {
- echo '<tr><td><label><input type="checkbox" name="databases[]" value="' . htmlspecialchars($db) . '" checked="checked" onclick="form_uncheck(\'check-databases\');">' . htmlspecialchars($db) . "</label>\n";
+ echo '<tr><td><label><input type="checkbox" name="databases[]" value="' . h($db) . '" checked="checked" onclick="form_uncheck(\'check-databases\');">' . h($db) . "</label>\n";
}
}
}
$create = $dbh->result($dbh->query("SHOW CREATE TABLE " . idf_escape($_GET["edit"])), 1);
}
$checked = ($_POST ? $_POST["on_update"][bracket_escape($name)] : preg_match("~\n\\s*" . preg_quote(idf_escape($name), '~') . " timestamp.* on update CURRENT_TIMESTAMP~i", $create));
- echo '<label><input type="checkbox" name="on_update[' . htmlspecialchars(bracket_escape($name)) . ']" value="1"' . ($checked ? ' checked="checked"' : '') . '>' . lang('ON UPDATE CURRENT_TIMESTAMP') . '</label>';
+ echo '<label><input type="checkbox" name="on_update[' . h(bracket_escape($name)) . ']" value="1"' . ($checked ? ' checked="checked"' : '') . '>' . lang('ON UPDATE CURRENT_TIMESTAMP') . '</label>';
}
echo "\n";
}
}
}
-page_header((strlen($_GET["event"]) ? lang('Alter event') . ": " . htmlspecialchars($_GET["event"]) : lang('Create event')), $error);
+page_header((strlen($_GET["event"]) ? lang('Alter event') . ": " . h($_GET["event"]) : lang('Create event')), $error);
$row = array();
if ($_POST) {
<form action="" method="post">
<table cellspacing="0">
-<tr><th><?php echo lang('Name'); ?><td><input name="EVENT_NAME" value="<?php echo htmlspecialchars($row["EVENT_NAME"]); ?>" maxlength="64">
-<tr><th><?php echo lang('Start'); ?><td><input name="STARTS" value="<?php echo htmlspecialchars("$row[EXECUTE_AT]$row[STARTS]"); ?>">
-<tr><th><?php echo lang('End'); ?><td><input name="ENDS" value="<?php echo htmlspecialchars($row["ENDS"]); ?>">
-<tr><th><?php echo lang('Every'); ?><td><input name="INTERVAL_VALUE" value="<?php echo htmlspecialchars($row["INTERVAL_VALUE"]); ?>" size="6"> <select name="INTERVAL_FIELD"><?php echo optionlist($intervals, $row["INTERVAL_FIELD"]); ?></select>
+<tr><th><?php echo lang('Name'); ?><td><input name="EVENT_NAME" value="<?php echo h($row["EVENT_NAME"]); ?>" maxlength="64">
+<tr><th><?php echo lang('Start'); ?><td><input name="STARTS" value="<?php echo h("$row[EXECUTE_AT]$row[STARTS]"); ?>">
+<tr><th><?php echo lang('End'); ?><td><input name="ENDS" value="<?php echo h($row["ENDS"]); ?>">
+<tr><th><?php echo lang('Every'); ?><td><input name="INTERVAL_VALUE" value="<?php echo h($row["INTERVAL_VALUE"]); ?>" size="6"> <select name="INTERVAL_FIELD"><?php echo optionlist($intervals, $row["INTERVAL_FIELD"]); ?></select>
<tr><th><?php echo lang('Status'); ?><td><select name="STATUS"><?php echo optionlist($statuses, $row["STATUS"]); ?></select>
-<tr><th><?php echo lang('Comment'); ?><td><input name="EVENT_COMMENT" value="<?php echo htmlspecialchars($row["EVENT_COMMENT"]); ?>" maxlength="64">
+<tr><th><?php echo lang('Comment'); ?><td><input name="EVENT_COMMENT" value="<?php echo h($row["EVENT_COMMENT"]); ?>" maxlength="64">
<tr><th> <td><label><input type="checkbox" name="ON_COMPLETION" value="PRESERVE"<?php echo ($row["ON_COMPLETION"] == "PRESERVE" ? " checked='checked'" : ""); ?>><?php echo lang('On completion preserve'); ?></label>
</table>
-<p><textarea name="EVENT_DEFINITION" rows="10" cols="80" style="width: 98%;"><?php echo htmlspecialchars($row["EVENT_DEFINITION"]); ?></textarea>
+<p><textarea name="EVENT_DEFINITION" rows="10" cols="80" style="width: 98%;"><?php echo h($row["EVENT_DEFINITION"]); ?></textarea>
<p>
<input type="hidden" name="token" value="<?php echo $token; ?>">
<input type="submit" value="<?php echo lang('Save'); ?>">
function loginForm($username) {
?>
<table cellspacing="0">
-<tr><th><?php echo lang('Server'); ?><td><input name="server" value="<?php echo htmlspecialchars($_GET["server"]); ?>">
-<tr><th><?php echo lang('Username'); ?><td><input name="username" value="<?php echo htmlspecialchars($username); ?>">
+<tr><th><?php echo lang('Server'); ?><td><input name="server" value="<?php echo h($_GET["server"]); ?>">
+<tr><th><?php echo lang('Username'); ?><td><input name="username" value="<?php echo h($username); ?>">
<tr><th><?php echo lang('Password'); ?><td><input type="password" name="password">
</table>
<?php
* @return string
*/
function tableName($tableStatus) {
- return htmlspecialchars($tableStatus["Name"]);
+ return h($tableStatus["Name"]);
}
/** Field caption used in select and edit
* @return string
*/
function fieldName($field, $order = 0) {
- return '<span title="' . htmlspecialchars($field["full_type"]) . '">' . htmlspecialchars($field["field"]) . '</span>';
+ return '<span title="' . h($field["full_type"]) . '">' . h($field["field"]) . '</span>';
}
/** Links after select heading
*/
function selectLinks($tableStatus) {
global $SELF;
- return '<a href="' . htmlspecialchars($SELF) . 'table=' . urlencode($_GET['select']) . '">' . lang('Table structure') . '</a>';
+ return '<a href="' . h($SELF) . 'table=' . urlencode($_GET['select']) . '">' . lang('Table structure') . '</a>';
}
/** Find backward keys for table
function selectQuery($query) {
global $SELF;
// it would be nice if $query can be passed by reference and printed value would be returned but call_user() doesn't allow reference parameters
- return "<p><code class='jush-sql'>" . htmlspecialchars($query) . "</code> <a href='" . htmlspecialchars($SELF) . "sql=" . urlencode($query) . "'>" . lang('Edit') . "</a>\n";
+ return "<p><code class='jush-sql'>" . h($query) . "</code> <a href='" . h($SELF) . "sql=" . urlencode($query) . "'>" . lang('Edit') . "</a>\n";
}
/** Description of a row in a table
echo '<fieldset><legend><a href="#fieldset-search" onclick="return !toggle(\'fieldset-search\');">' . lang('Search') . "</a></legend><div id='fieldset-search'" . ($where ? "" : " class='hidden'") . ">\n";
foreach ($indexes as $i => $index) {
if ($index["type"] == "FULLTEXT") {
- echo "(<i>" . implode("</i>, <i>", array_map('htmlspecialchars', $index["columns"])) . "</i>) AGAINST";
- echo ' <input name="fulltext[' . $i . ']" value="' . htmlspecialchars($_GET["fulltext"][$i]) . '">';
+ echo "(<i>" . implode("</i>, <i>", array_map('h', $index["columns"])) . "</i>) AGAINST";
+ echo " <input name='fulltext[$i]' value='" . h($_GET["fulltext"][$i]) . "'>";
echo "<label><input type='checkbox' name='boolean[$i]' value='1'" . (isset($_GET["boolean"][$i]) ? " checked='checked'" : "") . ">" . lang('BOOL') . "</label>";
echo "<br>\n";
}
if (strlen("$val[col]$val[val]") && in_array($val["op"], $this->operators)) {
echo "<div><select name='where[$i][col]'><option value=''>" . lang('(anywhere)') . optionlist($columns, $val["col"], true) . "</select>";
echo "<select name='where[$i][op]'>" . optionlist($this->operators, $val["op"]) . "</select>";
- echo "<input name='where[$i][val]' value=\"" . htmlspecialchars($val["val"]) . "\"></div>\n";
+ echo "<input name='where[$i][val]' value='" . h($val["val"]) . "'></div>\n";
$i++;
}
}
*/
function selectLimitPrint($limit) {
echo "<fieldset><legend>" . lang('Limit') . "</legend><div>"; // <div> for easy styling
- echo "<input name='limit' size='3' value=\"" . htmlspecialchars($limit) . "\">";
+ echo "<input name='limit' size='3' value='" . h($limit) . "'>";
echo "</div></fieldset>\n";
}
function selectLengthPrint($text_length) {
if (isset($text_length)) {
echo "<fieldset><legend>" . lang('Text length') . "</legend><div>";
- echo '<input name="text_length" size="3" value="' . htmlspecialchars($text_length) . '">';
+ echo '<input name="text_length" size="3" value="' . h($text_length) . '">';
echo "</div></fieldset>\n";
}
}
global $SELF;
$id = "sql-" . count($_SESSION["messages"]);
$_SESSION["history"][$_GET["server"]][$_GET["db"]][] = $query;
- return " <a href='#$id' onclick=\"return !toggle('$id');\">" . lang('SQL command') . "</a><div id='$id' class='hidden'><pre class='jush-sql'>" . htmlspecialchars($query) . '</pre><a href="' . htmlspecialchars($SELF . 'sql=&history=' . (count($_SESSION["history"][$_GET["server"]][$_GET["db"]]) - 1)) . '">' . lang('Edit') . '</a></div>';
+ return " <a href='#$id' onclick=\"return !toggle('$id');\">" . lang('SQL command') . "</a><div id='$id' class='hidden'><pre class='jush-sql'>" . h($query) . '</pre><a href="' . h($SELF . 'sql=&history=' . (count($_SESSION["history"][$_GET["server"]][$_GET["db"]]) - 1)) . '">' . lang('Edit') . '</a></div>';
}
/** Functions displayed in edit form
?>
<form action="" method="post">
<p>
-<a href="<?php echo htmlspecialchars($SELF); ?>sql="><?php echo lang('SQL command'); ?></a>
-<a href="<?php echo htmlspecialchars($SELF); ?>dump=<?php echo urlencode(isset($_GET["table"]) ? $_GET["table"] : $_GET["select"]); ?>"><?php echo lang('Dump'); ?></a>
+<a href="<?php echo h($SELF); ?>sql="><?php echo lang('SQL command'); ?></a>
+<a href="<?php echo h($SELF); ?>dump=<?php echo urlencode(isset($_GET["table"]) ? $_GET["table"] : $_GET["select"]); ?>"><?php echo lang('Dump'); ?></a>
<input type="hidden" name="token" value="<?php echo $_SESSION["tokens"][$_GET["server"]]; ?>">
<input type="submit" name="logout" value="<?php echo lang('Logout'); ?>">
</p>
</form>
<form action="">
-<p><?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo htmlspecialchars($_GET["server"]); ?>"><?php } ?>
+<p><?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo h($_GET["server"]); ?>"><?php } ?>
<?php if ($databases) { ?>
<select name="db" onchange="this.form.submit();"><option value="">(<?php echo lang('database'); ?>)<?php echo optionlist($databases, $_GET["db"]); ?></select>
<?php } else { ?>
-<input name="db" value="<?php echo htmlspecialchars($_GET["db"]); ?>">
+<input name="db" value="<?php echo h($_GET["db"]); ?>">
<?php } ?>
<?php if (isset($_GET["sql"])) { ?><input type="hidden" name="sql" value=""><?php } ?>
<?php if (isset($_GET["schema"])) { ?><input type="hidden" name="schema" value=""><?php } ?>
} else {
echo "<p>\n";
while ($row = $result->fetch_row()) {
- echo '<a href="' . htmlspecialchars($SELF) . 'select=' . urlencode($row[0]) . '">' . lang('select') . '</a> ';
- echo '<a href="' . htmlspecialchars($SELF) . 'table=' . urlencode($row[0]) . '">' . $this->tableName(array("Name" => $row[0])) . "</a><br>\n"; //! Adminer::tableName may work with full table status
+ echo '<a href="' . h($SELF) . 'select=' . urlencode($row[0]) . '">' . lang('select') . '</a> ';
+ echo '<a href="' . h($SELF) . 'table=' . urlencode($row[0]) . '">' . $this->tableName(array("Name" => $row[0])) . "</a><br>\n"; //! Adminer::tableName may work with full table status
}
}
$result->free();
- echo '<p><a href="' . htmlspecialchars($SELF) . 'create=">' . lang('Create new table') . "</a>\n";
+ echo '<p><a href="' . h($SELF) . 'create=">' . lang('Create new table') . "</a>\n";
}
}
}
global $ignore, $dbh, $adminer;
$username = $_SESSION["usernames"][$_GET["server"]];
unset($_SESSION["usernames"][$_GET["server"]]);
- page_header(lang('Login'), (isset($username) ? htmlspecialchars($exception ? $exception->getMessage() : (is_string($dbh) ? $dbh : lang('Invalid credentials.'))) : (isset($_POST["server"]) ? lang('Sessions must be enabled.') : ($_POST ? lang('Session expired, please login again.') : ""))), null);
+ page_header(lang('Login'), (isset($username) ? h($exception ? $exception->getMessage() : (is_string($dbh) ? $dbh : lang('Invalid credentials.'))) : (isset($_POST["server"]) ? lang('Sessions must be enabled.') : ($_POST ? lang('Session expired, please login again.') : ""))), null);
echo "<form action='' method='post'>\n";
$adminer->loginForm($username);
echo "<p>\n";
hidden_fields($_POST, $ignore); // expired session
foreach ($_FILES as $key => $val) {
- echo '<input type="hidden" name="files[' . htmlspecialchars($key) . ']" value="' . ($val["error"] ? $val["error"] : base64_encode(file_get_contents($val["tmp_name"]))) . '">';
+ echo '<input type="hidden" name="files[' . h($key) . ']" value="' . ($val["error"] ? $val["error"] : base64_encode(file_get_contents($val["tmp_name"]))) . '">';
}
echo "<input type='submit' value='" . lang('Login') . "'>\n</form>\n";
page_footer("auth");
function connect_error() {
global $dbh, $SELF, $VERSION;
if (strlen($_GET["db"])) {
- page_header(lang('Database') . ": " . htmlspecialchars($_GET["db"]), lang('Invalid database.'), false);
+ page_header(lang('Database') . ": " . h($_GET["db"]), lang('Invalid database.'), false);
} else {
page_header(lang('Select database'), "", null);
foreach (array(
'processlist' => lang('Process list'),
'variables' => lang('Variables'),
) as $key => $val) {
- echo '<p><a href="' . htmlspecialchars($SELF) . "$key=\">$val</a>\n";
+ echo '<p><a href="' . h($SELF) . "$key=\">$val</a>\n";
}
echo "<p>" . lang('MySQL version: %s through PHP extension %s', "<b" . ($dbh->server_info < 4.1 ? " class='binary'" : "") . ">$dbh->server_info</b>", "<b>$dbh->extension</b>") . "\n";
- echo "<p>" . lang('Logged as: %s', "<b>" . htmlspecialchars($dbh->result($dbh->query("SELECT USER()"))) . "</b>") . "\n";
+ echo "<p>" . lang('Logged as: %s', "<b>" . h($dbh->result($dbh->query("SELECT USER()"))) . "</b>") . "\n";
}
page_footer("db");
}
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Content-Script-Type" content="text/javascript">
<meta name="robots" content="noindex">
-<title><?php echo $title . (strlen($title2) ? ": " . htmlspecialchars($title2) : "") . (strlen($_GET["server"]) && $_GET["server"] != "localhost" ? htmlspecialchars("- $_GET[server]") : "") . " - " . $adminer->name(); ?></title>
+<title><?php echo $title . (strlen($title2) ? ": " . h($title2) : "") . (strlen($_GET["server"]) && $_GET["server"] != "localhost" ? h("- $_GET[server]") : "") . " - " . $adminer->name(); ?></title>
<link rel="shortcut icon" type="image/x-icon" href="../adminer/favicon.ico">
<link rel="stylesheet" type="text/css" href="../adminer/default.css<?php // Ondrej Valka, http://valka.info ?>">
<?php if (file_exists("adminer.css")) { ?>
<?php
if (isset($breadcrumb)) {
$link = substr(preg_replace('~db=[^&]*&~', '', $SELF), 0, -1);
- echo '<p id="breadcrumb"><a href="' . (strlen($link) ? htmlspecialchars($link) : ".") . '">' . (isset($_GET["server"]) ? htmlspecialchars($_GET["server"]) : lang('Server')) . '</a> » ';
+ echo '<p id="breadcrumb"><a href="' . (strlen($link) ? h($link) : ".") . '">' . (isset($_GET["server"]) ? h($_GET["server"]) : lang('Server')) . '</a> » ';
if (is_array($breadcrumb)) {
if (strlen($_GET["db"])) {
- echo '<a href="' . htmlspecialchars(substr($SELF, 0, -1)) . '">' . htmlspecialchars($_GET["db"]) . '</a> » ';
+ echo '<a href="' . h(substr($SELF, 0, -1)) . '">' . h($_GET["db"]) . '</a> » ';
}
foreach ($breadcrumb as $key => $val) {
$desc = (is_array($val) ? $val[1] : $val);
if (strlen($desc)) {
- echo '<a href="' . htmlspecialchars("$SELF$key=") . urlencode(is_array($val) ? $val[0] : $val) . '">' . htmlspecialchars($desc) . '</a> » ';
+ echo '<a href="' . h("$SELF$key=") . urlencode(is_array($val) ? $val[0] : $val) . '">' . h($desc) . '</a> » ';
}
}
}
echo "$title\n";
}
- echo "<h2>$title" . (strlen($title2) ? ": " . htmlspecialchars($title2) : "") . "</h2>\n";
+ echo "<h2>$title" . (strlen($title2) ? ": " . h($title2) : "") . "</h2>\n";
if ($_SESSION["messages"]) {
echo "<div class='message'>" . implode("</div>\n<div class='message'>", $_SESSION["messages"]) . "</div>\n";
$_SESSION["messages"] = array();
<?php switch_lang(); ?>
<div id="menu">
<h1><a href="http://www.adminer.org/" class="h1"><?php echo $adminer->name(); ?></a> <?php echo $VERSION; ?>
-<a href='http://www.adminer.org/#download' id="version"><?php echo (version_compare($VERSION, $_COOKIE["adminer_version"]) < 0 ? htmlspecialchars($_COOKIE["adminer_version"]) : ""); ?></a>
+<a href='http://www.adminer.org/#download' id="version"><?php echo (version_compare($VERSION, $_COOKIE["adminer_version"]) < 0 ? h($_COOKIE["adminer_version"]) : ""); ?></a>
</h1>
<?php $adminer->navigation($missing); ?>
</div>
global $structured_types, $unsigned, $inout;
?>
<td><select name="<?php echo $key; ?>[type]" onchange="editing_type_change(this);"><?php echo optionlist($structured_types + ($foreign_keys ? array(lang('Foreign keys') => $foreign_keys) : array()), $field["type"]); ?></select>
-<td><input name="<?php echo $key; ?>[length]" value="<?php echo htmlspecialchars($field["length"]); ?>" size="3">
+<td><input name="<?php echo $key; ?>[length]" value="<?php echo h($field["length"]); ?>" size="3">
<td><?php
echo "<select name=\"$key" . '[collation]"' . (ereg('(char|text|enum|set)$', $field["type"]) ? "" : " class='hidden'") . '><option value="">(' . lang('collation') . ')' . optionlist($collations, $field["collation"]) . '</select>';
echo ($unsigned ? " <select name=\"$key" . '[unsigned]"' . (!$field["type"] || ereg('(int|float|double|decimal)$', $field["type"]) ? "" : " class='hidden'") . '><option>' . optionlist($unsigned, $field["unsigned"]) . '</select>' : '');
?>
<tr<?php echo ($display ? "" : " style='display: none;'"); ?>>
<?php if ($type == "PROCEDURE") { ?><td><select name="fields[<?php echo $i; ?>][inout]"><?php echo optionlist($inout, $field["inout"]); ?></select><?php } ?>
-<th><?php if ($display) { ?><input name="fields[<?php echo $i; ?>][field]" value="<?php echo htmlspecialchars($field["field"]); ?>" onchange="<?php echo (strlen($field["field"]) || count($fields) > 1 ? "" : "editing_add_row(this, $allowed); "); ?>editing_name_change(this);" maxlength="64"><?php } ?><input type="hidden" name="fields[<?php echo $i; ?>][orig]" value="<?php echo htmlspecialchars($field[($_POST ? "orig" : "field")]); ?>">
+<th><?php if ($display) { ?><input name="fields[<?php echo $i; ?>][field]" value="<?php echo h($field["field"]); ?>" onchange="<?php echo (strlen($field["field"]) || count($fields) > 1 ? "" : "editing_add_row(this, $allowed); "); ?>editing_name_change(this);" maxlength="64"><?php } ?><input type="hidden" name="fields[<?php echo $i; ?>][orig]" value="<?php echo h($field[($_POST ? "orig" : "field")]); ?>">
<?php edit_type("fields[$i]", $field, $collations, $foreign_keys); ?>
<?php if ($type == "TABLE") { ?>
<td><input type="checkbox" name="fields[<?php echo $i; ?>][null]" value="1"<?php if ($field["null"]) { ?> checked="checked"<?php } ?>>
<td><input type="radio" name="auto_increment_col" value="<?php echo $i; ?>"<?php if ($field["auto_increment"]) { ?> checked="checked"<?php } ?>>
-<td<?php echo ($column_comments ? "" : " class='hidden'"); ?>><input name="fields[<?php echo $i; ?>][comment]" value="<?php echo htmlspecialchars($field["comment"]); ?>" maxlength="255">
+<td<?php echo ($column_comments ? "" : " class='hidden'"); ?>><input name="fields[<?php echo $i; ?>][comment]" value="<?php echo h($field["comment"]); ?>" maxlength="255">
<?php } ?>
<?php
echo "<td class='nowrap'><input type='image' name='add[$i]' src='../adminer/plus.gif' alt='+' title='" . lang('Add next') . "' onclick='var x = editing_add_row(this, $allowed); if (x) { x.focus(); x.onchange = function () { }; } return !x;'>";
return strtr($idf, ($back ? array_flip($trans) : $trans));
}
+function h($string) {
+ return htmlspecialchars($string, ENT_QUOTES);
+}
+
function optionlist($options, $selected = null, $use_keys = false) {
$return = "";
foreach ($options as $k => $v) {
if (is_array($v)) {
- $return .= '<optgroup label="' . htmlspecialchars($k) . '">';
+ $return .= '<optgroup label="' . h($k) . '">';
}
foreach ((is_array($v) ? $v : array($k => $v)) as $key => $val) {
- $return .= '<option' . ($use_keys || is_string($key) ? ' value="' . htmlspecialchars($key) . '"' : '') . (($use_keys || is_string($key) ? (string) $key : $val) === $selected ? ' selected="selected"' : '') . '>' . htmlspecialchars($val);
+ $return .= '<option' . ($use_keys || is_string($key) ? ' value="' . h($key) . '"' : '') . (($use_keys || is_string($key) ? (string) $key : $val) === $selected ? ' selected="selected"' : '') . '>' . h($val);
}
if (is_array($v)) {
$return .= '</optgroup>';
$failed = !$dbh->query($query);
}
if ($failed) {
- $error = htmlspecialchars($dbh->error) . $sql;
+ $error = h($dbh->error) . $sql;
return false;
}
if ($redirect) {
}
function pagination($page) {
- return " " . ($page == $_GET["page"] ? $page + 1 : '<a href="' . htmlspecialchars(remove_from_uri("page") . ($page ? "&page=$page" : "")) . '">' . ($page + 1) . "</a>");
+ return " " . ($page == $_GET["page"] ? $page + 1 : '<a href="' . h(remove_from_uri("page") . ($page ? "&page=$page" : "")) . '">' . ($page + 1) . "</a>");
}
function get_file($key) {
$blobs[$j] = true;
}
$types[$j] = $field->type;
- echo "<th>" . htmlspecialchars($field->name);
+ echo "<th>" . h($field->name);
}
echo "</thead>\n";
}
} elseif (!strlen(trim($val, " \t"))) {
$val = " "; // some content to print a border
} else {
- $val = nl2br(htmlspecialchars($val));
+ $val = nl2br(h($val));
if ($types[$key] == 254) {
$val = "<code>$val</code>";
}
foreach ($indexes[$links[$key]] as $col => $j) {
$link .= "&where" . urlencode("[" . bracket_escape($col) . "]") . "=" . urlencode($row[$j]);
}
- $val = '<a href="' . htmlspecialchars($SELF) . $link . '">' . $val . '</a>';
+ $val = "<a href='" . h($SELF) . "$link'>$val</a>";
}
}
echo "<td>$val";
function shorten_utf8($string, $length = 80, $suffix = "") {
preg_match("~^((?:.|\n){0,$length})(.|\n)?~u", $string, $match); // ~s causes trash in $match[2] under some PHP versions
- return htmlspecialchars($match[1]) . $suffix . ($match[2] ? "<em>...</em>" : "");
+ return h($match[1]) . $suffix . ($match[2] ? "<em>...</em>" : "");
}
function friendly_url($val) {
$process[$key . "[$k]"] = $v;
}
} elseif (!in_array($key, $ignore)) {
- echo '<input type="hidden" name="' . htmlspecialchars($key) . '" value="' . htmlspecialchars($val) . '">';
+ echo '<input type="hidden" name="' . h($key) . '" value="' . h($val) . '">';
}
}
}
function input($field, $value, $function) {
global $types, $adminer;
- $name = htmlspecialchars(bracket_escape($field["field"]));
+ $name = h(bracket_escape($field["field"]));
echo "<td class='function'>";
if ($field["type"] == "enum") {
- echo " <td>" . (isset($_GET["select"]) ? ' <label><input type="radio" name="fields[' . $name . ']" value="-1" checked="checked"><em>' . lang('original') . '</em></label>' : "");
+ echo " <td>" . (isset($_GET["select"]) ? " <label><input type='radio' name='fields[$name]' value='-1' checked='checked'><em>" . lang('original') . "</em></label>" : "");
if ($field["null"] || isset($_GET["default"])) {
- echo ' <label><input type="radio" name="fields[' . $name . ']" value=""' . (($field["null"] ? isset($value) : strlen($value)) || isset($_GET["select"]) ? '' : ' checked="checked"') . '>' . ($field["null"] ? '<em>NULL</em>' : '') . '</label>';
+ echo " <label><input type='radio' name='fields[$name]' value=''" . (($field["null"] ? isset($value) : strlen($value)) || isset($_GET["select"]) ? '' : ' checked="checked"') . '>' . ($field["null"] ? '<em>NULL</em>' : '') . '</label>';
}
if (!isset($_GET["default"])) {
- echo '<input type="radio" name="fields[' . $name . ']" value="0"' . ($value === 0 ? ' checked="checked"' : '') . '>';
+ echo "<input type='radio' name='fields[$name]' value='0'" . ($value === 0 ? ' checked="checked"' : '') . '>';
}
preg_match_all("~'((?:[^']+|'')*)'~", $field["length"], $matches);
foreach ($matches[1] as $i => $val) {
$val = stripcslashes(str_replace("''", "'", $val));
$checked = (is_int($value) ? $value == $i+1 : $value === $val);
- echo ' <label><input type="radio" name="fields[' . $name . ']" value="' . (isset($_GET["default"]) ? (strlen($val) ? htmlspecialchars($val) : " ") : $i+1) . '"' . ($checked ? ' checked="checked"' : '') . '>' . htmlspecialchars($val) . '</label>';
+ echo " <label><input type='radio' name='fields[$name]' value='" . (isset($_GET["default"]) ? (strlen($val) ? h($val) : " ") : $i+1) . "'" . ($checked ? ' checked="checked"' : '') . '>' . h($val) . '</label>';
}
} else {
$functions = (isset($_GET["select"]) ? array("orig" => lang('original')) : array()) + $adminer->editFunctions($field);
$first = array_search("", $functions) + (isset($_GET["select"]) ? 1 : 0);
- $onchange = ($first ? ' onchange="var f = this.form[\'function[' . addcslashes($name, "\r\n'\\") . ']\']; if (' . $first . ' > f.selectedIndex) f.selectedIndex = ' . $first . ';"' : '');
- echo (count($functions) > 1 ? '<select name="function[' . $name . ']">' . optionlist($functions, $function) . '</select>' : " ") . '<td>';
- $input = $adminer->editInput($_GET["edit"], $field, ' name="fields[' . $name . ']"' . $onchange, $value); // usage in call is without a table
+ $onchange = ($first ? " onchange=\"var f = this.form['function[" . addcslashes($name, "\r\n'\\") . "]']; if ($first > f.selectedIndex) f.selectedIndex = $first;\"" : "");
+ echo (count($functions) > 1 ? "<select name='function[$name]'>" . optionlist($functions, $function) . "</select>" : " ") . '<td>';
+ $input = $adminer->editInput($_GET["edit"], $field, " name='fields[$name]'$onchange", $value); // usage in call is without a table
if (strlen($input)) {
echo $input;
} elseif ($field["type"] == "set") { //! 64 bits
foreach ($matches[1] as $i => $val) {
$val = stripcslashes(str_replace("''", "'", $val));
$checked = (is_int($value) ? ($value >> $i) & 1 : in_array($val, explode(",", $value), true));
- echo ' <label><input type="checkbox" name="fields[' . $name . '][' . $i . ']" value="' . (isset($_GET["default"]) ? htmlspecialchars($val) : 1 << $i) . '"' . ($checked ? ' checked="checked"' : '') . "$onchange>" . htmlspecialchars($val) . '</label>';
+ echo " <label><input type='checkbox' name='fields[$name][$i]' value='" . (isset($_GET["default"]) ? h($val) : 1 << $i) . "'" . ($checked ? ' checked="checked"' : '') . "$onchange>" . h($val) . '</label>';
}
} elseif (strpos($field["type"], "text") !== false) {
- echo '<textarea name="fields[' . $name . ']" cols="50" rows="12"' . "$onchange>" . htmlspecialchars($value) . '</textarea>';
+ echo "<textarea name='fields[$name]' cols='50' rows='12'$onchange>" . h($value) . '</textarea>';
} elseif (ereg('binary|blob', $field["type"])) {
- echo (ini_get("file_uploads") ? '<input type="file" name="' . $name . '"' . "$onchange>" : lang('File uploads are disabled.'));
+ echo (ini_get("file_uploads") ? "<input type='file' name='$name'$onchange>" : lang('File uploads are disabled.'));
} else {
// int(3) is only a display hint
$maxlength = (!ereg('int', $field["type"]) && preg_match('~^([0-9]+)(,([0-9]+))?$~', $field["length"], $match) ? ($match[1] + ($match[3] ? 1 : 0) + ($match[2] && !$field["unsigned"] ? 1 : 0)) : ($types[$field["type"]] ? $types[$field["type"]] + ($field["unsigned"] ? 0 : 1) : 0));
- echo '<input name="fields[' . $name . ']" value="' . htmlspecialchars($value) . '"' . ($maxlength ? " maxlength='$maxlength'" : "") . "$onchange>";
+ echo "<input name='fields[$name]' value='" . h($value) . "'" . ($maxlength ? " maxlength='$maxlength'" : "") . "$onchange>";
}
}
}
ksort($index["columns"]);
foreach ($index["columns"] as $i => $column) {
echo "<span><select name='indexes[$j][columns][$i]'" . ($i == count($index["columns"]) ? " onchange='indexes_add_column(this);'" : "") . "><option>" . optionlist($fields, $column) . "</select>";
- echo "<input name='indexes[$j][lengths][$i]' size='2' value=\"" . htmlspecialchars($index["lengths"][$i]) . "\"> </span>\n";
+ echo "<input name='indexes[$j][lengths][$i]' size='2' value='" . h($index["lengths"][$i]) . "'> </span>\n";
}
echo "\n";
$j++;
<?php
page_header(lang('Privileges'));
-echo '<p><a href="' . htmlspecialchars($SELF) . 'user=">' . lang('Create user') . "</a>";
+echo '<p><a href="' . h($SELF) . 'user=">' . lang('Create user') . "</a>";
$result = $dbh->query("SELECT User, Host FROM mysql.user ORDER BY Host, User");
if (!$result) {
?>
<form action=""><p>
- <?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo htmlspecialchars($_GET["server"]); ?>"><?php } ?>
+ <?php if (strlen($_GET["server"])) { ?><input type="hidden" name="server" value="<?php echo h($_GET["server"]); ?>"><?php } ?>
<?php echo lang('Username'); ?>: <input name="user">
<?php echo lang('Server'); ?>: <input name="host" value="localhost">
<input type="hidden" name="grant" value="">
echo "<table cellspacing='0'>\n";
echo "<thead><tr><th> <th>" . lang('Username') . "<th>" . lang('Server') . "</thead>\n";
while ($row = $result->fetch_assoc()) {
- echo '<tr' . odd() . '><td><a href="' . htmlspecialchars($SELF . 'user=' . urlencode($row["User"]) . '&host=' . urlencode($row["Host"])) . '">' . lang('edit') . '</a><td>' . htmlspecialchars($row["User"]) . "<td>" . htmlspecialchars($row["Host"]) . "\n";
+ echo '<tr' . odd() . '><td><a href="' . h($SELF . 'user=' . urlencode($row["User"]) . '&host=' . urlencode($row["Host"])) . '">' . lang('edit') . '</a><td>' . h($row["User"]) . "<td>" . h($row["Host"]) . "\n";
}
echo "</table>\n";
$result->free();
}
}
-page_header((strlen($_GET["procedure"]) ? (isset($_GET["function"]) ? lang('Alter function') : lang('Alter procedure')) . ": " . htmlspecialchars($_GET["procedure"]) : (isset($_GET["function"]) ? lang('Create function') : lang('Create procedure'))), $error);
+page_header((strlen($_GET["procedure"]) ? (isset($_GET["function"]) ? lang('Alter function') : lang('Alter procedure')) . ": " . h($_GET["procedure"]) : (isset($_GET["function"]) ? lang('Create function') : lang('Create procedure'))), $error);
$collations = get_vals("SHOW CHARACTER SET");
sort($collations);
<?php edit_fields($row["fields"], $collations, $routine); ?>
<?php if (isset($_GET["function"])) { ?><tr><td><?php echo lang('Return type'); ?><?php echo edit_type("returns", $row["returns"], $collations); ?><?php } ?>
</table>
-<p><textarea name="definition" rows="10" cols="80" style="width: 98%;"><?php echo htmlspecialchars($row["definition"]); ?></textarea>
+<p><textarea name="definition" rows="10" cols="80" style="width: 98%;"><?php echo h($row["definition"]); ?></textarea>
<p>
<input type="hidden" name="token" value="<?php echo $token; ?>">
<?php if ($dropped) { ?><input type="hidden" name="dropped" value="1"><?php } ?>
-<?php echo lang('Name'); ?>: <input name="name" value="<?php echo htmlspecialchars($row["name"]); ?>" maxlength="64">
+<?php echo lang('Name'); ?>: <input name="name" value="<?php echo h($row["name"]); ?>" maxlength="64">
<input type="submit" value="<?php echo lang('Save'); ?>">
<?php if (strlen($_GET["procedure"])) { ?><input type="submit" name="drop" value="<?php echo lang('Drop'); ?>"<?php echo $confirm; ?>><?php } ?>
</form>
<?php
foreach ($schema as $name => $table) {
echo "<div class='table' style='top: " . $table["pos"][0] . "em; left: " . $table["pos"][1] . "em;' onmousedown='schema_mousedown(this, event);'>";
- echo '<a href="' . htmlspecialchars($SELF) . 'table=' . urlencode($name) . '"><strong>' . htmlspecialchars($name) . "</strong></a><br>\n";
+ echo '<a href="' . h($SELF) . 'table=' . urlencode($name) . '"><strong>' . h($name) . "</strong></a><br>\n";
foreach ($table["fields"] as $field) {
- $val = '<span' . type_class($field["type"]) . ' title="' . htmlspecialchars($field["full_type"] . ($field["null"] ? " " . lang('NULL') : '')) . '">' . htmlspecialchars($field["field"]) . '</span>';
+ $val = '<span' . type_class($field["type"]) . ' title="' . h($field["full_type"] . ($field["null"] ? " " . lang('NULL') : '')) . '">' . h($field["field"]) . '</span>';
echo ($field["primary"] ? "<em>$val</em>" : $val) . "<br>\n";
}
foreach ((array) $table["references"] as $target_name => $refs) {
$left1 = $left - $table_pos[$name][1];
$i = 0;
foreach ($ref[0] as $source) {
- echo
'<div class="references" title="' . htmlspecialchars($target_name) . "\" id='refs$left-" . ($i++) . "' style='left: $left1" . "em; top: " . $table["fields"][$source]["pos"] . "em; padding-top: .5em;'><div style='border-top: 1px solid Gray; width: " . (-$left1) . "em;'></div></div>\n";
+ echo
"<div class='references' title='" . h($target_name) . "' id='refs$left-" . ($i++) . "' style='left: $left1" . "em; top: " . $table["fields"][$source]["pos"] . "em; padding-top: .5em;'><div style='border-top: 1px solid Gray; width: " . (-$left1) . "em;'></div></div>\n";
}
}
}
$left1 = $left - $table_pos[$name][1];
$i = 0;
foreach ($columns as $target) {
- echo
'<div class="references" title="' . htmlspecialchars($target_name) . "\" id='refd$left-" . ($i++) . "' style='left: $left1" . "em; top: " . $table["fields"][$target]["pos"] . "em; height: 1.25em; background: url(../adminer/arrow.gif) no-repeat right center;'><div style='height: .5em; border-bottom: 1px solid Gray; width: " . (-$left1) . "em;'></div></div>\n";
+ echo
"<div class='references' title='" . h($target_name) . "' id='refd$left-" . ($i++) . "' style='left: $left1" . "em; top: " . $table["fields"][$target]["pos"] . "em; height: 1.25em; background: url(../adminer/arrow.gif) no-repeat right center;'><div style='height: .5em; border-bottom: 1px solid Gray; width: " . (-$left1) . "em;'></div></div>\n";
}
}
}
echo "<p>";
if (isset($rights["insert"])) {
//! pass search values forth and back
- echo '<a href="' . htmlspecialchars($SELF) . 'edit=' . urlencode($_GET['select']) . '">' . lang('New item') . '</a> ';
+ echo '<a href="' . h($SELF) . 'edit=' . urlencode($_GET['select']) . '">' . lang('New item') . '</a> ';
}
echo $adminer->selectLinks($table_status);
if (!$columns) {
- echo "<p class='error'>" . lang('Unable to select the table') . ($fields ? "" : ": " . htmlspecialchars($dbh->error)) . ".\n";
+ echo "<p class='error'>" . lang('Unable to select the table') . ($fields ? "" : ": " . h($dbh->error)) . ".\n";
} else {
echo "<form action='' id='form'>\n";
echo "<div style='display: none;'>";
- echo (strlen($_GET["server"]) ? '<input type="hidden" name="server" value="' . htmlspecialchars($_GET["server"]) . '">' : "");
- echo '<input type="hidden" name="db" value="' . htmlspecialchars($_GET["db"]) . '">';
- echo '<input type="hidden" name="select" value="' . htmlspecialchars($_GET["select"]) . '">';
+ echo (strlen($_GET["server"]) ? '<input type="hidden" name="server" value="' . h($_GET["server"]) . '">' : "");
+ echo '<input type="hidden" name="db" value="' . h($_GET["db"]) . '">';
+ echo '<input type="hidden" name="select" value="' . h($_GET["select"]) . '">';
echo "</div>\n";
$adminer->selectColumnsPrint($select, $columns);
$adminer->selectSearchPrint($where, $columns, $indexes);
$result = $dbh->query($query);
if (!$result) {
- echo "<p class='error'>" . htmlspecialchars($dbh->error) . "\n";
+ echo "<p class='error'>" . h($dbh->error) . "\n";
} else {
$email_fields = array();
echo "<form action='' method='post' enctype='multipart/form-data'>\n";
if (strlen($name)) {
$order++;
$names[$key] = $name;
- echo '<th><a href="' . htmlspecialchars(remove_from_uri('(order|desc)[^=]*') . '&order%5B0%5D=' . urlencode($key) . ($_GET["order"] == array($key) && !$_GET["desc"][0] ? '&desc%5B0%5D=1' : '')) . '">' . apply_sql_function($val["fun"], $name) . "</a>"; //! columns looking like functions
+ echo '<th><a href="' . h(remove_from_uri('(order|desc)[^=]*') . '&order%5B0%5D=' . urlencode($key) . ($_GET["order"] == array($key) && !$_GET["desc"][0] ? '&desc%5B0%5D=1' : '')) . '">' . apply_sql_function($val["fun"], $name) . "</a>"; //! columns looking like functions
}
next($select);
}
echo ($table_names ? "<th>" . lang('Relations') : "") . "</thead>\n";
foreach ($descriptions as $n => $row) {
$unique_idf = implode('&', unique_idf($rows[$n], $indexes));
- echo '<tr' . odd() . '><td><input type="checkbox" name="check[]" value="' . $unique_idf . '" onclick="this.form[\'all\'].checked = false; form_uncheck(\'all-page\');">' . (count($select) != count($group) || information_schema($_GET["db"]) ? '' : ' <a href="' . htmlspecialchars($SELF) . 'edit=' . urlencode($_GET['select']) . '&' . $unique_idf . '">' . lang('edit') . '</a>');
+ echo "<tr" . odd() . "><td><input type='checkbox' name='check[]' value='$unique_idf' onclick=\"this.form['all'].checked = false; form_uncheck('all-page');\">" . (count($select) != count($group) || information_schema($_GET["db"]) ? '' : " <a href='" . h($SELF) . "edit=" . urlencode($_GET['select']) . "&$unique_idf" . "'>" . lang('edit') . "</a>");
foreach ($row as $key => $val) {
if (isset($names[$key])) {
if (strlen($val) && (!isset($email_fields[$key]) || strlen($email_fields[$key]))) {
$val = "<i>NULL</i>";
} else {
if (ereg('blob|binary', $fields[$key]["type"]) && strlen($val)) {
- $link = htmlspecialchars($SELF . 'download=' . urlencode($_GET["select"]) . '&field=' . urlencode($key) . '&') . $unique_idf;
+ $link = h($SELF . 'download=' . urlencode($_GET["select"]) . '&field=' . urlencode($key) . '&') . $unique_idf;
}
if (!strlen(trim($val, " \t"))) {
$val = " ";
} elseif (strlen($text_length) && ereg('blob|text', $fields[$key]["type"]) && is_utf8($val)) {
$val = nl2br(shorten_utf8($val, max(0, intval($text_length)))); // usage of LEFT() would reduce traffic but complicate query
} else {
- $val = nl2br(htmlspecialchars($val));
+ $val = nl2br(h($val));
}
// link related items
foreach ($foreign_key["source"] as $i => $source) {
$link .= where_link($i, $foreign_key["target"][$i], $rows[$n][$source]);
}
- $link = htmlspecialchars((strlen($foreign_key["db"]) ? preg_replace('~([?&]db=)[^&]+~', '\\1' . urlencode($foreign_key["db"]), $SELF) : $SELF) . 'select=' . urlencode($foreign_key["table"])) . $link; // InnoDB supports non-UNIQUE keys
+ $link = h((strlen($foreign_key["db"]) ? preg_replace('~([?&]db=)[^&]+~', '\\1' . urlencode($foreign_key["db"]), $SELF) : $SELF) . 'select=' . urlencode($foreign_key["table"])) . $link; // InnoDB supports non-UNIQUE keys
break;
}
}
echo "<td>";
foreach ($table_names as $table => $name) {
foreach ($backward_keys[$table] as $columns) {
- echo ' <a href="' . htmlspecialchars($SELF) . 'select=' . urlencode($table);
+ echo " <a href='" . h($SELF) . 'select=' . urlencode($table);
$i = 0;
foreach ($columns as $column => $val) {
echo where_link($i, $column, $rows[$n][$val]);
$i++;
}
- echo "\">$name</a>";
+ echo "'>$name</a>";
}
}
}
$start = explode(" ", microtime()); // microtime(true) is available since PHP 5
//! don't allow changing of character_set_results, convert encoding of displayed query
if (!$dbh->multi_query(substr($query, 0, $match[0][1]))) {
- echo "<p class='error'>" . lang('Error in query') . ": " . htmlspecialchars($dbh->error) . "\n";
+ echo "<p class='error'>" . lang('Error in query') . ": " . h($dbh->error) . "\n";
if ($_POST["error_stops"]) {
break;
}
?>
<form action="" method="post" enctype="multipart/form-data">
-<p><textarea name="query" rows="20" cols="80" style="width: 98%;"><?php echo htmlspecialchars($_POST ? $_POST["query"] : (strlen($_GET["history"]) ? $_SESSION["history"][$_GET["server"]][$_GET["db"]][$_GET["history"]] : $_GET["sql"])); ?></textarea>
+<p><textarea name="query" rows="20" cols="80" style="width: 98%;"><?php echo h($_POST ? $_POST["query"] : (strlen($_GET["history"]) ? $_SESSION["history"][$_GET["server"]][$_GET["db"]][$_GET["history"]] : $_GET["sql"])); ?></textarea>
<p>
<input type="hidden" name="token" value="<?php echo $token; ?>">
<input type="submit" value="<?php echo lang('Execute'); ?>">
echo "<fieldset><legend>" . lang('History') . "</legend>\n";
foreach ($history as $key => $val) {
//! save and display timestamp
- echo '<a href="' . htmlspecialchars($SELF . "sql=&history=$key") . '">' . lang('Edit') . '</a> <code class="jush-sql">' . shorten_utf8(ltrim(str_replace("\n", " ", preg_replace('~^(#|-- ).*~m', '', $val))), 80, "</code>") . "<br>\n";
+ echo '<a href="' . h($SELF . "sql=&history=$key") . '">' . lang('Edit') . '</a> <code class="jush-sql">' . shorten_utf8(ltrim(str_replace("\n", " ", preg_replace('~^(#|-- ).*~m', '', $val))), 80, "</code>") . "<br>\n";
}
echo "<input type='submit' name='clear' value='" . lang('Clear') . "'>\n";
echo "</fieldset>\n";
<?php
$result = $dbh->query("SHOW COLUMNS FROM " . idf_escape($_GET["table"]));
if (!$result) {
- $error = htmlspecialchars($dbh->error);
+ $error = h($dbh->error);
}
$table_status = ($result ? table_status($_GET["table"]) : array());
$is_view = !isset($table_status["Rows"]);
-page_header(($result && $is_view ? lang('View') : lang('Table')) . ": " . htmlspecialchars($_GET["table"]), $error);
+page_header(($result && $is_view ? lang('View') : lang('Table')) . ": " . h($_GET["table"]), $error);
if ($result) {
$auto_increment_only = true;
if (!$row["auto_increment"]) {
$auto_increment_only = false;
}
- echo "<tr><th>" . htmlspecialchars($row["Field"]) . "<td>" . htmlspecialchars($row["Type"]) . ($row["Null"] == "YES" ? " <i>NULL</i>" : "") . "\n";
+ echo "<tr><th>" . h($row["Field"]) . "<td>" . h($row["Type"]) . ($row["Null"] == "YES" ? " <i>NULL</i>" : "") . "\n";
}
echo "</table>\n";
$result->free();
echo "<p>";
if ($is_view) {
- echo '<a href="' . htmlspecialchars($SELF) . 'view=' . urlencode($_GET["table"]) . '">' . lang('Alter view') . '</a>';
+ echo '<a href="' . h($SELF) . 'view=' . urlencode($_GET["table"]) . '">' . lang('Alter view') . '</a>';
} else {
- echo '<a href="' . htmlspecialchars($SELF) . 'create=' . urlencode($_GET["table"]) . '">' . lang('Alter table') . '</a>';
- echo ($auto_increment_only ? '' : ' <a href="' . htmlspecialchars($SELF) . 'default=' . urlencode($_GET["table"]) . '">' . lang('Default values') . '</a>');
+ echo '<a href="' . h($SELF) . 'create=' . urlencode($_GET["table"]) . '">' . lang('Alter table') . '</a>';
+ echo ($auto_increment_only ? '' : ' <a href="' . h($SELF) . 'default=' . urlencode($_GET["table"]) . '">' . lang('Default values') . '</a>');
}
- echo ' <a href="' . htmlspecialchars($SELF) . 'select=' . urlencode($_GET["table"]) . '">' . lang('Select table') . '</a>';
- echo ' <a href="' . htmlspecialchars($SELF) . 'edit=' . urlencode($_GET["table"]) . '">' . lang('New item') . '</a>';
+ echo ' <a href="' . h($SELF) . 'select=' . urlencode($_GET["table"]) . '">' . lang('Select table') . '</a>';
+ echo ' <a href="' . h($SELF) . 'edit=' . urlencode($_GET["table"]) . '">' . lang('New item') . '</a>';
if (!$is_view) {
echo "<h3>" . lang('Indexes') . "</h3>\n";
ksort($index["columns"]); // enforce correct columns order
$print = array();
foreach ($index["columns"] as $key => $val) {
- $print[] = "<i>" . htmlspecialchars($val) . "</i>" . ($index["lengths"][$key] ? "(" . $index["lengths"][$key] . ")" : "");
+ $print[] = "<i>" . h($val) . "</i>" . ($index["lengths"][$key] ? "(" . $index["lengths"][$key] . ")" : "");
}
echo "<tr><th>$index[type]<td>" . implode(", ", $print) . "\n";
}
echo "</table>\n";
}
- echo '<p><a href="' . htmlspecialchars($SELF) . 'indexes=' . urlencode($_GET["table"]) . '">' . lang('Alter indexes') . "</a>\n";
+ echo '<p><a href="' . h($SELF) . 'indexes=' . urlencode($_GET["table"]) . '">' . lang('Alter indexes') . "</a>\n";
if ($table_status["Engine"] == "InnoDB") {
echo "<h3>" . lang('Foreign keys') . "</h3>\n";
if ($foreign_keys) {
echo "<table cellspacing='0'>\n";
foreach ($foreign_keys as $name => $foreign_key) {
- $link = (strlen($foreign_key["db"]) ? "<strong>" . htmlspecialchars($foreign_key["db"]) . "</strong>." : "") . htmlspecialchars($foreign_key["table"]);
+ $link = (strlen($foreign_key["db"]) ? "<strong>" . h($foreign_key["db"]) . "</strong>." : "") . h($foreign_key["table"]);
echo "<tr>";
- echo "<th><i>" . implode("</i>, <i>", array_map('htmlspecialchars', $foreign_key["source"])) . "</i>";
- echo '<td><a href="' . htmlspecialchars(strlen($foreign_key["db"]) ? preg_replace('~db=[^&]*~', "db=" . urlencode($foreign_key["db"]), $SELF) : $SELF) . "table=" . urlencode($foreign_key["table"]) . "\">$link</a>";
- echo "(<em>" . implode("</em>, <em>", array_map('htmlspecialchars', $foreign_key["target"])) . "</em>)";
- echo "<td>" . (!strlen($foreign_key["db"]) ? '<a href="' . htmlspecialchars($SELF) . 'foreign=' . urlencode($_GET["table"]) . '&name=' . urlencode($name) . '">' . lang('Alter') . '</a>' : ' ');
+ echo "<th><i>" . implode("</i>, <i>", array_map('h', $foreign_key["source"])) . "</i>";
+ echo "<td><a href='" . h(strlen($foreign_key["db"]) ? preg_replace('~db=[^&]*~', "db=" . urlencode($foreign_key["db"]), $SELF) : $SELF) . "table=" . urlencode($foreign_key["table"]) . "'>$link</a>";
+ echo "(<em>" . implode("</em>, <em>", array_map('h', $foreign_key["target"])) . "</em>)";
+ echo "<td>" . (!strlen($foreign_key["db"]) ? '<a href="' . h($SELF) . 'foreign=' . urlencode($_GET["table"]) . '&name=' . urlencode($name) . '">' . lang('Alter') . '</a>' : ' ');
}
echo "</table>\n";
}
- echo '<p><a href="' . htmlspecialchars($SELF) . 'foreign=' . urlencode($_GET["table"]) . '">' . lang('Add foreign key') . "</a>\n";
+ echo '<p><a href="' . h($SELF) . 'foreign=' . urlencode($_GET["table"]) . '">' . lang('Add foreign key') . "</a>\n";
}
if ($dbh->server_info >= 5) {
if ($result->num_rows) {
echo "<table cellspacing='0'>\n";
while ($row = $result->fetch_assoc()) {
- echo "<tr valign='top'><td>$row[Timing]<td>$row[Event]<th>" . htmlspecialchars($row["Trigger"]) . "<td><a href=\"" . htmlspecialchars($SELF) . 'trigger=' . urlencode($_GET["table"]) . '&name=' . urlencode($row["Trigger"]) . '">' . lang('Alter') . "</a>\n";
+ echo "<tr valign='top'><td>$row[Timing]<td>$row[Event]<th>" . h($row["Trigger"]) . "<td><a href=\"" . h($SELF) . 'trigger=' . urlencode($_GET["table"]) . '&name=' . urlencode($row["Trigger"]) . '">' . lang('Alter') . "</a>\n";
}
echo "</table>\n";
}
$result->free();
- echo '<p><a href="' . htmlspecialchars($SELF) . 'trigger=' . urlencode($_GET["table"]) . '">' . lang('Add trigger') . "</a>\n";
+ echo '<p><a href="' . h($SELF) . 'trigger=' . urlencode($_GET["table"]) . '">' . lang('Add trigger') . "</a>\n";
}
}
}
}
}
-page_header((strlen($_GET["name"]) ? lang('Alter trigger') . ": " . htmlspecialchars($_GET["name"]) : lang('Create trigger')), $error, array("table" => $_GET["trigger"]));
+page_header((strlen($_GET["name"]) ? lang('Alter trigger') . ": " . h($_GET["name"]) : lang('Create trigger')), $error, array("table" => $_GET["trigger"]));
$row = array("Trigger" => "$_GET[trigger]_bi");
if ($_POST) {
<form action="" method="post" id="form">
<table cellspacing="0">
-<tr><th><?php echo lang('Time'); ?><td><select name="Timing" onchange="if (/^<?php echo htmlspecialchars(preg_quote($_GET["trigger"], "/")); ?>_[ba][iud]$/.test(this.form['Trigger'].value)) this.form['Trigger'].value = '<?php echo htmlspecialchars(addcslashes($_GET["trigger"], "\r\n'\\")); ?>_' + this.value.charAt(0).toLowerCase() + this.form['Event'].value.charAt(0).toLowerCase();"><?php echo optionlist($trigger_time, $row["Timing"]); ?></select>
+<tr><th><?php echo lang('Time'); ?><td><select name="Timing" onchange="if (/^<?php echo h(preg_quote($_GET["trigger"], "/")); ?>_[ba][iud]$/.test(this.form['Trigger'].value)) this.form['Trigger'].value = '<?php echo h(addcslashes($_GET["trigger"], "\r\n'\\")); ?>_' + this.value.charAt(0).toLowerCase() + this.form['Event'].value.charAt(0).toLowerCase();"><?php echo optionlist($trigger_time, $row["Timing"]); ?></select>
<tr><th><?php echo lang('Event'); ?><td><select name="Event" onchange="this.form['Timing'].onchange();"><?php echo optionlist($trigger_event, $row["Event"]); ?></select>
-<tr><th><?php echo lang('Name'); ?><td><input name="Trigger" value="<?php echo htmlspecialchars($row["Trigger"]); ?>" maxlength="64">
+<tr><th><?php echo lang('Name'); ?><td><input name="Trigger" value="<?php echo h($row["Trigger"]); ?>" maxlength="64">
</table>
-<p><textarea name="Statement" rows="10" cols="80" style="width: 98%;"><?php echo htmlspecialchars($row["Statement"]); ?></textarea>
+<p><textarea name="Statement" rows="10" cols="80" style="width: 98%;"><?php echo h($row["Statement"]); ?></textarea>
<p>
<input type="hidden" name="token" value="<?php echo $token; ?>">
<?php if ($dropped) { ?><input type="hidden" name="dropped" value="1"><?php } ?>
}
}
-page_header((isset($_GET["host"]) ? lang('Username') . ": " . htmlspecialchars("$_GET[user]@$_GET[host]") : lang('Create user')), $error, array("privileges" => array('', lang('Privileges'))));
+page_header((isset($_GET["host"]) ? lang('Username') . ": " . h("$_GET[user]@$_GET[host]") : lang('Create user')), $error, array("privileges" => array('', lang('Privileges'))));
if ($_POST) {
$row = $_POST;
?>
<form action="" method="post">
<table cellspacing="0">
-<tr><th><?php echo lang('Username'); ?><td><input name="user" maxlength="16" value="<?php echo htmlspecialchars($row["user"]); ?>">
-<tr><th><?php echo lang('Server'); ?><td><input name="host" maxlength="60" value="<?php echo htmlspecialchars($row["host"]); ?>">
-<tr><th><?php echo lang('Password'); ?><td><input id="pass" name="pass" value="<?php echo htmlspecialchars($row["pass"]); ?>"><?php if (!$row["hashed"]) { ?><script type="text/javascript">document.getElementById('pass').type = 'password';</script><?php } ?> <label><input type="checkbox" name="hashed" value="1"<?php if ($row["hashed"]) { ?> checked="checked"<?php } ?> onclick="this.form['pass'].type = (this.checked ? 'text' : 'password');"><?php echo lang('Hashed'); ?></label>
+<tr><th><?php echo lang('Username'); ?><td><input name="user" maxlength="16" value="<?php echo h($row["user"]); ?>">
+<tr><th><?php echo lang('Server'); ?><td><input name="host" maxlength="60" value="<?php echo h($row["host"]); ?>">
+<tr><th><?php echo lang('Password'); ?><td><input id="pass" name="pass" value="<?php echo h($row["pass"]); ?>"><?php if (!$row["hashed"]) { ?><script type="text/javascript">document.getElementById('pass').type = 'password';</script><?php } ?> <label><input type="checkbox" name="hashed" value="1"<?php if ($row["hashed"]) { ?> checked="checked"<?php } ?> onclick="this.form['pass'].type = (this.checked ? 'text' : 'password');"><?php echo lang('Hashed'); ?></label>
</table>
<?php
echo "<thead><tr><th colspan='2'>" . lang('Privileges');
$i = 0;
foreach ($grants as $object => $grant) {
- echo '<th>' . ($object != "*.*" ? '<input name="objects[' . $i . ']" value="' . htmlspecialchars($object) . '" size="10">' : '<input type="hidden" name="objects[' . $i . ']" value="*.*" size="10">*.*'); //! separate db, table, columns, PROCEDURE|FUNCTION, routine
+ echo '<th>' . ($object != "*.*" ? "<input name='objects[$i]' value='" . h($object) . "' size='10'>" : "<input type='hidden' name='objects[$i]' value='*.*' size='10'>*.*"); //! separate db, table, columns, PROCEDURE|FUNCTION, routine
$i++;
}
echo "</thead>\n";
"Procedures" => lang('Routine'),
) as $context => $desc) {
foreach ((array) $privileges[$context] as $privilege => $comment) {
- echo "<tr" . odd() . "><td" . ($desc ? ">$desc<td" : " colspan='2'") . ' lang="en" title="' . htmlspecialchars($comment) . '">' . htmlspecialchars($privilege);
+ echo "<tr" . odd() . "><td" . ($desc ? ">$desc<td" : " colspan='2'") . ' lang="en" title="' . h($comment) . '">' . h($privilege);
$i = 0;
foreach ($grants as $object => $grant) {
- $name = '"grants[' . $i . '][' . htmlspecialchars(strtoupper($privilege)) . ']"';
+ $name = "'grants[$i][" . h(strtoupper($privilege)) . "]'";
$value = $grant[strtoupper($privilege)];
if ($context == "Server Admin" && $object != (isset($grants["*.*"]) ? "*.*" : "")) {
echo "<td> ";
$result = $dbh->query("SHOW VARIABLES");
while ($row = $result->fetch_assoc()) {
echo "<tr>";
- echo "<th><code class='jush-sqlset'>" . htmlspecialchars($row["Variable_name"]) . "</code>";
- echo "<td>" . (strlen(trim($row["Value"])) ? htmlspecialchars($row["Value"]) : " ");
+ echo "<th><code class='jush-sqlset'>" . h($row["Variable_name"]) . "</code>";
+ echo "<td>" . (strlen(trim($row["Value"])) ? h($row["Value"]) : " ");
}
$result->free();
echo "</table>\n";
?>
<form action="" method="post">
-<p><textarea name="select" rows="10" cols="80" style="width: 98%;"><?php echo htmlspecialchars($row["select"]); ?></textarea>
+<p><textarea name="select" rows="10" cols="80" style="width: 98%;"><?php echo h($row["select"]); ?></textarea>
<p>
<input type="hidden" name="token" value="<?php echo $token; ?>">
<?php if ($dropped) { // old view was dropped but new wasn't created ?><input type="hidden" name="dropped" value="1"><?php } ?>
-<?php echo lang('Name'); ?>: <input name="name" value="<?php echo htmlspecialchars($row["name"]); ?>" maxlength="64">
+<?php echo lang('Name'); ?>: <input name="name" value="<?php echo h($row["name"]); ?>" maxlength="64">
<input type="submit" value="<?php echo lang('Save'); ?>">
</form>
}
$file = str_replace('<script type="text/javascript" src="editing.js"></script>' . "\n", "", $file);
$file = preg_replace_callback("~compile_file\\('([^']+)', '([^']+)'\\);~", 'compile_file', $file); // integrate static files
-$replace = 'htmlspecialchars(preg_replace("~\\\\\\\\?.*~", "", $_SERVER["REQUEST_URI"]), ENT_QUOTES) . "?file=\\1&version=' . $VERSION;
+$replace = 'h(preg_replace("~\\\\\\\\?.*~", "", $_SERVER["REQUEST_URI"])) . "?file=\\1&version=' . $VERSION;
$file = preg_replace('~\\.\\./adminer/(default\\.css|functions\\.js|favicon\\.ico)~', '<?php echo ' . $replace . '"; ?>', $file);
$file = preg_replace('~\\.\\./adminer/((plus|cross|up|down|arrow)\\.gif)~', '" . ' . $replace, $file);
$file = str_replace("../externals/jush/", "http://jush.sourceforge.net/", $file);
$prev_color = $color;
}
if ($prev_color != $color || !isset($line)) {
- echo "<div" . ($prev_color ? " style='background-color: $prev_color;'" : "") . ">" . $s;
+ echo "<div" . ($prev_color ? " style='background-color: $prev_color;'" : "") . ">$s";
$open_tags = xhtml_open_tags($s);
foreach (array_reverse($open_tags) as $tag) {
echo "</" . preg_replace('~ .*~', '', $tag) . ">";
function tableName($tableStatus) {
// tables without comments would return empty string and will be ignored by Adminer
- return htmlspecialchars($tableStatus["Comment"]);
+ return h($tableStatus["Comment"]);
}
function fieldName($field, $order = 0) {
// only first five columns with comments will be displayed
- return ($order < 5 ? htmlspecialchars($field["comment"]) : "");
+ return ($order < 5 ? h($field["comment"]) : "");
}
}
function loginForm($username) {
?>
<table cellspacing="0">
-<tr><th><?php echo lang('Username'); ?><td><input type="hidden" name="server" value="" /><input name="username" value="<?php echo htmlspecialchars($username); ?>">
+<tr><th><?php echo lang('Username'); ?><td><input type="hidden" name="server" value="" /><input name="username" value="<?php echo h($username); ?>">
<tr><th><?php echo lang('Password'); ?><td><input type="password" name="password">
</table>
<?php
function tableName($tableStatus) {
table_comment($tableStatus);
- return htmlspecialchars(strlen($tableStatus["Comment"]) ? $tableStatus["Comment"] : $tableStatus["Name"]);
+ return h(strlen($tableStatus["Comment"]) ? $tableStatus["Comment"] : $tableStatus["Name"]);
}
function fieldName($field, $order = 0) {
- return htmlspecialchars(strlen($field["comment"]) ? $field["comment"] : $field["field"]);
+ return h(strlen($field["comment"]) ? $field["comment"] : $field["field"]);
}
function selectLinks($tableStatus) {
}
}
if ($field["full_type"] == "tinyint(1)" && $return != " ") { // bool
- $return = '<img src="' . ($val ? "../adminer/plus.gif" : "../adminer/cross.gif") . '" alt="' . htmlspecialchars($val) . '">';
+ $return = '<img src="' . ($val ? "../adminer/plus.gif" : "../adminer/cross.gif") . '" alt="' . h($val) . '">';
}
return ($link ? "<a href=\"$link\">$return</a>" : $return);
}
foreach ((array) $_GET["where"] as $val) {
if (strlen("$val[col]$val[val]")) {
echo "<div><select name='where[$i][col]'><option value=''>" . lang('(anywhere)') . optionlist($columns, $val["col"], true) . "</select>";
- echo "<input name='where[$i][val]' value=\"" . htmlspecialchars($val["val"]) . "\"></div>\n";
+ echo "<input name='where[$i][val]' value='" . h($val["val"]) . "'></div>\n";
$i++;
}
}
echo "<p>" . lang('From') . ": <input name='email_from'>\n";
echo lang('Subject') . ": <input name='email_subject'>\n";
echo "<p><textarea name='email_message' rows='15' cols='60'></textarea>\n";
- echo "<p>" . (count($emailFields) == 1 ? '<input type="hidden" name="email_field" value="' . htmlspecialchars(key($emailFields)) . '">' : '<select name="email_field">' . optionlist($emailFields) . '</select> ');
+ echo "<p>" . (count($emailFields) == 1 ? '<input type="hidden" name="email_field" value="' . h(key($emailFields)) . '">' : '<select name="email_field">' . optionlist($emailFields) . '</select> ');
echo "<input type='submit' name='email' value='" . lang('Send') . "'$confirm>\n";
echo "</div></fieldset>\n";
}
}
}
if ($field["full_type"] == "tinyint(1)") { // bool
- return '<input type="checkbox" value="' . htmlspecialchars($value ? $value : 1) . '"' . ($value ? ' checked="checked"' : '') . "$attrs>";
+ return '<input type="checkbox" value="' . h($value ? $value : 1) . '"' . ($value ? ' checked="checked"' : '') . "$attrs>";
}
return '';
}
foreach ($table_status as $row) {
$name = $this->tableName($row);
if (isset($row["Engine"]) && strlen($name)) { // ignore views and tables without name
- echo '<a href="' . htmlspecialchars($SELF) . 'select=' . urlencode($row["Name"]) . "\">$name</a><br>\n";
+ echo "<a href='" . h($SELF) . 'select=' . urlencode($row["Name"]) . "'>$name</a><br>\n";
}
}
}
projects / adminer.git / commitdiff