OXID eShop CE  4.8.12
 All Classes Files Functions Variables Pages
tools_list.php
Go to the documentation of this file.
1 <?php
2 
8 class Tools_List extends oxAdminList
9 {
15  protected $_sThisTemplate = 'tools_list.tpl';
16 
22  public function updateViews()
23  {
24  //preventing edit for anyone except malladmin
25  if ( oxRegistry::getSession()->getVariable( "malladmin" ) ) {
26  $oMetaData = oxNew('oxDbMetaDataHandler');
27  $this->_aViewData["blViewSuccess"] = $oMetaData->updateViews();
28  }
29  }
30 
36  public function performsql()
37  {
38  $oAuthUser = oxNew( 'oxuser' );
39  $oAuthUser->loadAdminUser();
40  if ( $oAuthUser->oxuser__oxrights->value === "malladmin" ) {
41 
42  $sUpdateSQL = oxConfig::getParameter("updatesql");
43  $sUpdateSQLFile = $this->_processFiles();
44 
45  if ( $sUpdateSQLFile && strlen( $sUpdateSQLFile ) > 0 ) {
46  if ( isset( $sUpdateSQL ) && strlen( $sUpdateSQL ) )
47  $sUpdateSQL .= ";\r\n".$sUpdateSQLFile;
48  else
49  $sUpdateSQL = $sUpdateSQLFile;
50  }
51 
52  $sUpdateSQL = trim( stripslashes( $sUpdateSQL ) );
53  $oStr = getStr();
54  $iLen = $oStr->strlen( $sUpdateSQL );
55  if ( $this->_prepareSQL( $sUpdateSQL, $iLen ) ) {
56  $aQueries = $this->aSQLs;
57  $this->_aViewData["aQueries"] = array();
58  $aPassedQueries = array();
59  $aQAffectedRows = array();
60  $aQErrorMessages = array();
61  $aQErrorNumbers = array();
62 
63  if ( count( $aQueries ) > 0 ) {
64  $blStop = false;
65  $oDB = oxDb::getDb();
66  $iQueriesCounter = 0;
67  for ( $i = 0; $i < count( $aQueries ); $i++ ) {
68  $sUpdateSQL = $aQueries[$i];
69  $sUpdateSQL = trim( $sUpdateSQL );
70 
71  if ( $oStr->strlen( $sUpdateSQL ) > 0 ) {
72  $aPassedQueries[$iQueriesCounter] = nl2br( htmlentities( $sUpdateSQL ) );
73  if ( $oStr->strlen( $aPassedQueries[$iQueriesCounter] ) > 200 )
74  $aPassedQueries[$iQueriesCounter] = $oStr->substr( $aPassedQueries[$iQueriesCounter], 0, 200 )."...";
75 
76  while ( $sUpdateSQL[ $oStr->strlen( $sUpdateSQL)-1] == ";") {
77  $sUpdateSQL = $oStr->substr( $sUpdateSQL, 0, ( $oStr->strlen( $sUpdateSQL)-1));
78  }
79 
80  try {
81  $oDB->execute( $sUpdateSQL );
82  } catch ( Exception $oExcp ) {
83  // catching exception ...
84  $blStop = true;
85  }
86 
87  $aQAffectedRows [$iQueriesCounter] = null;
88  $aQErrorMessages[$iQueriesCounter] = null;
89  $aQErrorNumbers [$iQueriesCounter] = null;
90 
91  $iErrorNum = $oDB->ErrorNo();
92  if ( $iAffectedRows = $oDB->affected_Rows() !== false && $iErrorNum == 0 ) {
93  $aQAffectedRows[$iQueriesCounter] = $iAffectedRows;
94  } else {
95  $aQErrorMessages[$iQueriesCounter] = htmlentities( $oDB->errorMsg() );
96  $aQErrorNumbers[$iQueriesCounter] = htmlentities( $iErrorNum );
97  }
98  $iQueriesCounter++;
99 
100  // stopping on first error..
101  if ( $blStop ) {
102  break;
103  }
104  }
105  }
106  }
107  $this->_aViewData["aQueries"] = $aPassedQueries;
108  $this->_aViewData["aAffectedRows"] = $aQAffectedRows;
109  $this->_aViewData["aErrorMessages"] = $aQErrorMessages;
110  $this->_aViewData["aErrorNumbers"] = $aQErrorNumbers;
111  }
112  $this->_iDefEdit = 1;
113  }
114  }
115 
121  protected function _processFiles()
122  {
123  if ( isset( $_FILES['myfile']['name'] ) ) {
124  // process all files
125  while ( list( $key, $value ) = each( $_FILES['myfile']['name'] ) ) {
126  $aSource = $_FILES['myfile']['tmp_name'];
127  $sSource = $aSource[$key];
128  $aFiletype = explode( "@", $key );
129  $key = $aFiletype[1];
130  $sType = $aFiletype[0];
131  $value = strtolower( $value );
132  // add type to name
133  $aFilename = explode( ".", $value );
134 
135  //hack?
136 
137  $aBadFiles = array( "php", 'php4', 'php5', "jsp", "cgi", "cmf", "exe" );
138 
139  if ( in_array( $aFilename[1], $aBadFiles ) ) {
140  oxRegistry::getUtils()->showMessageAndExit( "We don't play this game, go away" );
141  }
142 
143  //reading SQL dump file
144  if ( $sSource ) {
145  $rHandle = fopen( $sSource, "r");
146  $sContents = fread( $rHandle, filesize ( $sSource ) );
147  fclose( $rHandle );
148  //reading only one SQL dump file
149  return $sContents;
150  }
151  return;
152  }
153  }
154  return;
155  }
156 
165  protected function _prepareSQL( $sSQL, $iSQLlen )
166  {
167  $sChar = "";
168  $sStrStart = "";
169  $blString = false;
170  $oStr = getStr();
171 
172  //removing "mysqldump" application comments
173  while ( $oStr->preg_match( "/^\-\-.*\n/", $sSQL ) )
174  $sSQL = trim( $oStr->preg_replace( "/^\-\-.*\n/", "", $sSQL ) );
175  while ( $oStr->preg_match( "/\n\-\-.*\n/", $sSQL ) )
176  $sSQL = trim( $oStr->preg_replace( "/\n\-\-.*\n/", "\n", $sSQL ) );
177 
178  for ( $iPos = 0; $iPos < $iSQLlen; ++$iPos ) {
179  $sChar = $sSQL[$iPos];
180  if ( $blString ) {
181  while ( true ) {
182  $iPos = $oStr->strpos( $sSQL, $sStrStart, $iPos );
183  //we are at the end of string ?
184  if ( !$iPos ) {
185  $this->aSQLs[] = $sSQL;
186  return true;
187  } elseif ( $sStrStart == '`' || $sSQL[$iPos-1] != '\\' ) {
188  //found some query separators
189  $blString = false;
190  $sStrStart = "";
191  break;
192  } else {
193  $iNext = 2;
194  $blBackslash = false;
195  while ( $iPos-$iNext > 0 && $sSQL[$iPos-$iNext] == '\\' ) {
196  $blBackslash = !$blBackslash;
197  $iNext++;
198  }
199  if ( $blBackslash ) {
200  $blString = false;
201  $sStrStart = "";
202  break;
203  } else
204  $iPos++;
205  }
206  }
207  } elseif ( $sChar == ";" ) {
208  // delimiter found, appending query array
209  $this->aSQLs[] = $oStr->substr( $sSQL, 0, $iPos );
210  $sSQL = ltrim( $oStr->substr( $sSQL, min( $iPos + 1, $iSQLlen ) ) );
211  $iSQLlen = $oStr->strlen( $sSQL );
212  if ( $iSQLlen )
213  $iPos = -1;
214  else
215  return true;
216  } elseif ( ( $sChar == '"') || ( $sChar == '\'') || ( $sChar == '`')) {
217  $blString = true;
218  $sStrStart = $sChar;
219  } elseif ( $sChar == "#" || ( $sChar == ' ' && $iPos > 1 && $sSQL[$iPos-2] . $sSQL[$iPos-1] == '--')) {
220  // removing # commented query code
221  $iCommStart = (( $sSQL[$iPos] == "#") ? $iPos : $iPos-2);
222  $iCommEnd = ($oStr->strpos(' ' . $sSQL, "\012", $iPos+2))
223  ? $oStr->strpos(' ' . $sSQL, "\012", $iPos+2)
224  : $oStr->strpos(' ' . $sSQL, "\015", $iPos+2);
225  if ( !$iCommEnd ) {
226  if ( $iCommStart > 0 )
227  $this->aSQLs[] = trim( $oStr->substr( $sSQL, 0, $iCommStart ) );
228  return true;
229  } else {
230  $sSQL = $oStr->substr( $sSQL, 0, $iCommStart ).ltrim( $oStr->substr( $sSQL, $iCommEnd ) );
231  $iSQLlen = $oStr->strlen( $sSQL );
232  $iPos--;
233  }
234  } elseif ( 32358 < 32270 && ($sChar == '!' && $iPos > 1 && $sSQL[$iPos-2] . $sSQL[$iPos-1] == '/*')) // removing comments like /**/
235  $sSQL[$iPos] = ' ';
236  }
237 
238  if ( !empty( $sSQL ) && $oStr->preg_match( "/[^[:space:]]+/", $sSQL ) ) {
239  $this->aSQLs[] = $sSQL;
240  }
241  return true;
242  }
243 }