vesta/web/edit/db/index.php

<?php
// Init
error_reporting(NULL);
ob_start();
$TAB = 'DB';

// Main include
include($_SERVER['DOCUMENT_ROOT'].'/inc/main.php');

// Check database id
if (empty($_GET['database'])) {
    header("Location: /list/db/");
    exit;
}

// Edit as someone else?
if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {
    $user=escapeshellarg($_GET['user']);
}

// List datbase
$v_database = escapeshellarg($_GET['database']);
exec (VESTA_CMD."v-list-database ".$user." ".$v_database." 'json'", $output, $return_var);
check_return_code($return_var,$output);
$data = json_decode(implode('', $output), true);
unset($output);

// Parse database
$v_username = $user;
$v_database = $_GET['database'];
$v_dbuser = $data[$v_database]['DBUSER'];
$v_password = "";
$v_host = $data[$v_database]['HOST'];
$v_type = $data[$v_database]['TYPE'];
$v_charset = $data[$v_database]['CHARSET'];
$v_date = $data[$v_database]['DATE'];
$v_time = $data[$v_database]['TIME'];
$v_suspended = $data[$v_database]['SUSPENDED'];
if ( $v_suspended == 'yes' ) {
    $v_status =  'suspended';
} else {
    $v_status =  'active';
}

// Check POST request
if (!empty($_POST['save'])) {
    $v_username = $user;

    // Check token
    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
        header('location: /login/');
        exit();
    }

    // Change database user
    if (($v_dbuser != $_POST['v_dbuser']) && (empty($_SESSION['error_msg']))) {
        $v_dbuser = preg_replace("/^".$user."_/", "", $_POST['v_dbuser']);
        $v_dbuser = escapeshellarg($v_dbuser);
        exec (VESTA_CMD."v-change-database-user ".$v_username." ".$v_database." ".$v_dbuser, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);
        $v_dbuser = $user."_".preg_replace("/^".$user."_/", "", $_POST['v_dbuser']);
    }

    // Change database password
    if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) {
        $v_password = tempnam("/tmp","vst");
        $fp = fopen($v_password, "w");
        fwrite($fp, $_POST['v_password']."\n");
        fclose($fp);
        exec (VESTA_CMD."v-change-database-password ".$v_username." ".$v_database." ".$v_password, $output, $return_var);
        check_return_code($return_var,$output);
        unset($output);
        unlink($v_password);
        $v_password = escapeshellarg($_POST['v_password']);
    }

    // Set success message
    if (empty($_SESSION['error_msg'])) {
        $_SESSION['ok_msg'] = __('Changes has been saved.');
    }
}

// Render page
render_page($user, $TAB, 'edit_db');

// Flush session messages
unset($_SESSION['error_msg']);
unset($_SESSION['ok_msg']);
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`<?php`
			`// Init`
			`error_reporting(NULL);`
			`ob_start();`
			`$TAB = 'DB';`
Improved code formating 2014-07-30 15:34:34 +03:00
Separate scripts from html & New rendering function 2016-07-02 19:51:56 +09:00			`// Main include`
			`include($_SERVER['DOCUMENT_ROOT'].'/inc/main.php');`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// Check database id`
i18n db 2013-01-22 03:00:33 +02:00			`if (empty($_GET['database'])) {`
			`header("Location: /list/db/");`
			`exit;`
			`}`

			`// Edit as someone else?`
			`if (($_SESSION['user'] == 'admin') && (!empty($_GET['user']))) {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$user=escapeshellarg($_GET['user']);`
i18n db 2013-01-22 03:00:33 +02:00			`}`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// List datbase`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_database = escapeshellarg($_GET['database']);`
			`exec (VESTA_CMD."v-list-database ".$user." ".$v_database." 'json'", $output, $return_var);`
			`check_return_code($return_var,$output);`
			`$data = json_decode(implode('', $output), true);`
			`unset($output);`
Improved code formating 2014-07-30 15:34:34 +03:00
			`// Parse database`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_username = $user;`
			`$v_database = $_GET['database'];`
Improved code formating 2014-07-30 15:34:34 +03:00			`$v_dbuser = $data[$v_database]['DBUSER'];`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_password = "";`
Improved code formating 2014-07-30 15:34:34 +03:00			`$v_host = $data[$v_database]['HOST'];`
			`$v_type = $data[$v_database]['TYPE'];`
			`$v_charset = $data[$v_database]['CHARSET'];`
			`$v_date = $data[$v_database]['DATE'];`
			`$v_time = $data[$v_database]['TIME'];`
			`$v_suspended = $data[$v_database]['SUSPENDED'];`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`if ( $v_suspended == 'yes' ) {`
			`$v_status = 'suspended';`
			`} else {`
			`$v_status = 'active';`
			`}`
Improved code formating 2014-07-30 15:34:34 +03:00
			`// Check POST request`
			`if (!empty($_POST['save'])) {`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_username = $user;`

UI update 2015-06-03 02:31:03 +03:00			`// Check token`
			`if ((!isset($_POST['token'])) \|\| ($_SESSION['token'] != $_POST['token'])) {`
			`header('location: /login/');`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exit();`
UI update 2015-06-03 02:31:03 +03:00			`}`

Improved code formating 2014-07-30 15:34:34 +03:00			`// Change database user`
			`if (($v_dbuser != $_POST['v_dbuser']) && (empty($_SESSION['error_msg']))) {`
			`$v_dbuser = preg_replace("/^".$user."_/", "", $_POST['v_dbuser']);`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_dbuser = escapeshellarg($v_dbuser);`
			`exec (VESTA_CMD."v-change-database-user ".$v_username." ".$v_database." ".$v_dbuser, $output, $return_var);`
			`check_return_code($return_var,$output);`
			`unset($output);`
			`$v_dbuser = $user."_".preg_replace("/^".$user."_/", "", $_POST['v_dbuser']);`
Improved code formating 2014-07-30 15:34:34 +03:00			`}`
change database username 2013-10-28 23:16:33 +02:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// Change database password`
UI improvements 2015-05-29 19:51:24 +03:00			`if ((!empty($_POST['v_password'])) && (empty($_SESSION['error_msg']))) {`
password transmission via tmp files 2015-03-31 00:01:44 +03:00			`$v_password = tempnam("/tmp","vst");`
			`$fp = fopen($v_password, "w");`
			`fwrite($fp, $_POST['v_password']."\n");`
			`fclose($fp);`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`exec (VESTA_CMD."v-change-database-password ".$v_username." ".$v_database." ".$v_password, $output, $return_var);`
Separate scripts from html & New rendering function 2016-07-02 19:51:56 +09:00			`check_return_code($return_var,$output);`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`unset($output);`
password transmission via tmp files 2015-03-31 00:01:44 +03:00			`unlink($v_password);`
Revert "[SECURITY] Fix OS command injection." 2015-12-11 21:14:49 +02:00			`$v_password = escapeshellarg($_POST['v_password']);`
Improved code formating 2014-07-30 15:34:34 +03:00			`}`
change database username 2013-10-28 23:16:33 +02:00
Improved code formating 2014-07-30 15:34:34 +03:00			`// Set success message`
			`if (empty($_SESSION['error_msg'])) {`
			`$_SESSION['ok_msg'] = __('Changes has been saved.');`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00			`}`
i18n db 2013-01-22 03:00:33 +02:00			`}`
Replaced CRLF by LF 2013-01-18 18:23:04 +04:00
Separate scripts from html & New rendering function 2016-07-02 19:51:56 +09:00			`// Render page`
Challenging routing on render_page 2016-07-02 21:40:46 +09:00			`render_page($user, $TAB, 'edit_db');`
Improved code formating 2014-07-30 15:34:34 +03:00
			`// Flush session messages`
i18n db 2013-01-22 03:00:33 +02:00			`unset($_SESSION['error_msg']);`
			`unset($_SESSION['ok_msg']);`