Documentation TYPO3 par Ameos |
00001 <?php 00002 /* $Id: tbl_replace_fields.php,v 2.5 2003/12/11 12:45:44 garvinhicking Exp $ */ 00003 // vim: expandtab sw=4 ts=4 sts=4: 00004 00005 // note: grab_globals has extracted the fields from _FILES 00006 // or HTTP_POST_FILES 00007 00008 // Check parameters 00009 00010 require_once('./libraries/common.lib.php'); 00011 00012 PMA_checkParameters(array('db','encoded_key')); 00013 00014 00015 // f i e l d u p l o a d e d f r o m a f i l e 00016 00017 // garvin: original if-clause checked, whether input was stored in a possible fields_upload_XX var. 00018 // Now check, if the field is set. If it is empty or a malicious file, do not alter fields contents. 00019 // If an empty or invalid file is specified, the binary data gets deleter. Maybe a nice 00020 // new text-variable is appropriate to document this behaviour. 00021 00022 // garvin: security cautions! You could trick the form and submit any file the webserver has access to 00023 // for upload to a binary field. Shouldn't be that easy! ;) 00024 00025 // garvin: default is to advance to the field-value parsing. Will only be set to true when a 00026 // binary file is uploaded, thus bypassing further manipulation of $val. 00027 00028 $check_stop = false; 00029 00030 // Check if a multi-edit row was found 00031 ${'me_fields_upload_' . $encoded_key} = (isset($enc_primary_key) && isset(${'fields_upload_' . $encoded_key}['multi_edit']) ? ${'fields_upload_' . $encoded_key}['multi_edit'][$enc_primary_key] : (isset(${'fields_upload_' . $encoded_key}) ? ${'fields_upload_' . $encoded_key} : null)); 00032 ${'me_fields_uploadlocal_' . $encoded_key} = (isset($enc_primary_key) && isset(${'fields_uploadlocal_' . $encoded_key}['multi_edit']) ? ${'fields_uploadlocal_' . $encoded_key}['multi_edit'][$enc_primary_key] : (isset(${'fields_uploadlocal_' . $encoded_key}) ? ${'fields_uploadlocal_' . $encoded_key} : null)); 00033 00034 if (isset(${'me_fields_upload_' . $encoded_key}) && ${'me_fields_upload_' . $encoded_key} != 'none'){ 00035 // garvin: This fields content is a blob-file upload. 00036 00037 if (!empty(${'me_fields_upload_' . $encoded_key})) { 00038 // garvin: The blob-field is not empty. Check what we have there. 00039 00040 $data_file = ${'me_fields_upload_' . $encoded_key}; 00041 00042 if (is_uploaded_file($data_file)) { 00043 // garvin: A valid uploaded file is found. Look into the file... 00044 00045 $val = fread(fopen($data_file, 'rb'), filesize($data_file)); 00046 // nijel: This is probably the best way how to put binary data 00047 // into MySQL and it also allow not to care about charset 00048 // conversion that would otherwise corrupt the data. 00049 00050 if (!empty($val)) { 00051 // garvin: The upload was valid. Check in new blob-field's contents. 00052 $val = '0x' . bin2hex($val); 00053 $seen_binary = TRUE; 00054 $check_stop = TRUE; 00055 } 00056 // garvin: ELSE: an empty file was uploaded. Remove blob-field's contents. 00057 // Blob-fields are preserved, see below. ($protected$) 00058 00059 } else { 00060 // garvin: Danger, will robinson. File is malicious. Blob-fields are preserved, see below. ($protected$) 00061 // void 00062 } 00063 00064 } elseif (!empty(${'me_fields_uploadlocal_' . $encoded_key})) { 00065 if (substr($cfg['UploadDir'], -1) != '/') { 00066 $cfg['UploadDir'] .= '/'; 00067 } 00068 $file_to_upload = $cfg['UploadDir'] . preg_replace('@\.\.*@', '.', ${'me_fields_uploadlocal_' . $encoded_key}); 00069 00070 // A local file will be uploaded. 00071 $open_basedir = @ini_get('open_basedir'); 00072 00073 // If we are on a server with open_basedir, we must move the file 00074 // before opening it. The doc explains how to create the "./tmp" 00075 // directory 00076 00077 $unlink = false; 00078 if (!empty($open_basedir)) { 00079 00080 $tmp_subdir = (PMA_IS_WINDOWS ? '.\\tmp\\' : './tmp/'); 00081 00082 // function is_writeable() is valid on PHP3 and 4 00083 if (!is_writeable($tmp_subdir)) { 00084 // if we cannot move the file don't change blob fields 00085 $file_to_upload = ''; 00086 } else { 00087 $new_file_to_upload = $tmp_subdir . basename($file_to_upload); 00088 move_uploaded_file($file_to_upload, $new_file_to_upload); 00089 00090 $file_to_upload = $new_file_to_upload; 00091 $unlink = true; 00092 } 00093 } 00094 00095 if ($file_to_upload != '') { 00096 00097 $val = fread(fopen($file_to_upload, 'rb'), filesize($file_to_upload)); 00098 if (!empty($val)) { 00099 $val = '0x' . bin2hex($val); 00100 $seen_binary = TRUE; 00101 $check_stop = TRUE; 00102 } 00103 00104 if ($unlink == TRUE) { 00105 unlink($file_to_upload); 00106 } 00107 } 00108 00109 } 00110 // garvin: else: Post-field contains no data. Blob-fields are preserved, see below. ($protected$) 00111 00112 } 00113 00114 if (!$check_stop) { 00115 00116 // f i e l d v a l u e i n t h e f o r m 00117 00118 if (isset($me_fields_type[$encoded_key])) $type = $me_fields_type[$encoded_key]; 00119 else $type = ''; 00120 00121 $f = 'field_' . md5($key); 00122 $t_fval = (isset($$f) ? $$f : null); 00123 00124 if (isset($t_fval['multi_edit']) && isset($t_fval['multi_edit'][$enc_primary_key])) { 00125 $fval = &$t_fval['multi_edit'][$enc_primary_key]; 00126 } else { 00127 $fval = &$t_fval; 00128 } 00129 00130 switch (strtolower($val)) { 00131 // let users type NULL or null to input this string and not a NULL value 00132 //case 'null': 00133 // break; 00134 case '': 00135 switch ($type) { 00136 case 'enum': 00137 // if we have an enum, then construct the value 00138 if (!empty($fval)) { 00139 $val = implode(',', $fval); 00140 if ($val == 'null') { 00141 // void 00142 } else { 00143 // the data here is not urlencoded! 00144 //$val = "'" . PMA_sqlAddslashes(urldecode($val)) . "'"; 00145 $val = "'" . PMA_sqlAddslashes($val) . "'"; 00146 } 00147 } else { 00148 $val = "''"; 00149 } 00150 break; 00151 case 'set': 00152 // if we have a set, then construct the value 00153 if (!empty($fval)) { 00154 $val = implode(',', $fval); 00155 // the data here is not urlencoded! 00156 //$val = "'" . PMA_sqlAddslashes(urldecode($val)) . "'"; 00157 $val = "'" . PMA_sqlAddslashes($val) . "'"; 00158 } else { 00159 $val = "''"; 00160 } 00161 break; 00162 case 'foreign': 00163 // if we have a foreign key, then construct the value 00164 if (!empty($fval)) { 00165 $val = implode(',', $fval); 00166 if ($val == 'null') { 00167 // void 00168 } else { 00169 // the data here is not urlencoded! 00170 //$val = "'" . PMA_sqlAddslashes(urldecode($val)) . "'"; 00171 $val = "'" . PMA_sqlAddslashes($val) . "'"; 00172 } 00173 } else { 00174 $val = "''"; 00175 } 00176 break; 00177 case 'protected': 00178 // here we are in protected mode (asked in the config) 00179 // so tbl_change has put this special value in the 00180 // fields array, so we do not change the field value 00181 // but we can still handle field upload 00182 00183 // garvin: when in UPDATE mode, do not alter field's contents. When in INSERT 00184 // mode, insert empty field because no values were submitted. If protected 00185 // blobs where set, insert original fields content. 00186 if (isset($fieldlist)) { 00187 if (isset($prot_row) && isset($prot_row[$key]) && !empty($prot_row[$key])) { 00188 $val = '0x' . bin2hex($prot_row[$key]); 00189 $seen_binary = TRUE; 00190 } else { 00191 $val = "''"; 00192 } 00193 } else { 00194 unset($val); 00195 } 00196 00197 break; 00198 default: 00199 $val = "'" . PMA_sqlAddslashes($val) . "'"; 00200 break; 00201 } 00202 break; 00203 default: 00204 $val = "'" . PMA_sqlAddslashes($val) . "'"; 00205 break; 00206 } // end switch 00207 00208 // Was the Null checkbox checked for this field? 00209 // (if there is a value, we ignore the Null checkbox: this could 00210 // be possible if Javascript is disabled in the browser) 00211 if (isset($me_fields_null) && isset($me_fields_null[$encoded_key]) 00212 && $val=="''") { 00213 $val = 'NULL'; 00214 } 00215 } // end else (field value in the form) 00216 ?>