Retrieve parameters from $_POST in tracking pages

Signed-off-by: Maurício Meneghini Fauth <mauriciofauth@gmail.com>
phpmyadmin · Dec 11, 2018 · b6f2ae4 · b6f2ae4
1 parent d752096
commit b6f2ae4
Show file tree

Hide file tree

Showing 8 changed files with 210 additions and 209 deletions.
diff --git a/db_tracking.php b/db_tracking.php
@@ -30,6 +30,8 @@
  */
 require 'libraries/db_common.inc.php';
 $url_query .= '&amp;goto=tbl_tracking.php&amp;back=db_tracking.php';
+$url_params['goto'] = 'tbl_tracking.php';
+$url_params['back'] = 'db_tracking.php';
 
 // Get the database structure
 $sub_part = '_structure';
@@ -46,47 +48,45 @@
     $pos
 ) = Util::getDbInfo($db, isset($sub_part) ? $sub_part : '');
 
-// Work to do?
-//  (here, do not use $_REQUEST['db] as it can be crafted)
-if (isset($_REQUEST['delete_tracking']) && isset($_REQUEST['table'])) {
+if (isset($_POST['delete_tracking']) && isset($_POST['table'])) {
 
-    Tracker::deleteTracking($GLOBALS['db'], $_REQUEST['table']);
+    Tracker::deleteTracking($GLOBALS['db'], $_POST['table']);
     Message::success(
         __('Tracking data deleted successfully.')
     )->display();
 
-} elseif (isset($_REQUEST['submit_create_version'])) {
+} elseif (isset($_POST['submit_create_version'])) {
 
-    Tracking::createTrackingForMultipleTables($_REQUEST['selected']);
+    Tracking::createTrackingForMultipleTables($_POST['selected']);
     Message::success(
         sprintf(
             __(
                 'Version %1$s was created for selected tables,'
                 . ' tracking is active for them.'
             ),
-            htmlspecialchars($_REQUEST['version'])
+            htmlspecialchars($_POST['version'])
         )
     )->display();
 
-} elseif (isset($_REQUEST['submit_mult'])) {
+} elseif (isset($_POST['submit_mult'])) {
 
-    if (! empty($_REQUEST['selected_tbl'])) {
-        if ($_REQUEST['submit_mult'] == 'delete_tracking') {
+    if (! empty($_POST['selected_tbl'])) {
+        if ($_POST['submit_mult'] == 'delete_tracking') {
 
-            foreach ($_REQUEST['selected_tbl'] as $table) {
+            foreach ($_POST['selected_tbl'] as $table) {
                 Tracker::deleteTracking($GLOBALS['db'], $table);
             }
             Message::success(
                 __('Tracking data deleted successfully.')
             )->display();
 
-        } elseif ($_REQUEST['submit_mult'] == 'track') {
+        } elseif ($_POST['submit_mult'] == 'track') {
 
             echo Tracking::getHtmlForDataDefinitionAndManipulationStatements(
                 'db_tracking.php' . $url_query,
                 0,
                 $GLOBALS['db'],
-                $_REQUEST['selected_tbl']
+                $_POST['selected_tbl']
             );
             exit;
         }
@@ -98,7 +98,7 @@
 }
 
 // Get tracked data about the database
-$data = Tracker::getTrackedData($_REQUEST['db'], '', '1');
+$data = Tracker::getTrackedData($GLOBALS['db'], '', '1');
 
 // No tables present and no log exist
 if ($num_tables == 0 && count($data['ddlog']) == 0) {
@@ -118,7 +118,7 @@
 $all_tables_query = ' SELECT table_name, MAX(version) as version FROM ' .
     Util::backquote($cfgRelation['db']) . '.' .
     Util::backquote($cfgRelation['tracking']) .
-    ' WHERE db_name = \'' . $GLOBALS['dbi']->escapeString($_REQUEST['db']) .
+    ' WHERE db_name = \'' . $GLOBALS['dbi']->escapeString($GLOBALS['db']) .
     '\' ' .
     ' GROUP BY table_name' .
     ' ORDER BY table_name ASC';

diff --git a/js/db_tracking.js b/js/db_tracking.js
@@ -84,10 +84,9 @@ AJAX.registerOnload('db_tracking.js', function () {
         $anchor.PMA_confirm(question, $anchor.attr('href'), function (url) {
             PMA_ajaxShowMessage(PMA_messages.strDeletingTrackingData);
             AJAX.source = $anchor;
-            var params = {
-                'ajax_page_request': true,
-                'ajax_request': true
-            };
+            var argSep = PMA_commonParams.get('arg_separator');
+            var params = getJSConfirmCommonParam(this, $anchor.getPostData());
+            params += argSep + 'ajax_page_request=1';
             $.post(url, params, AJAX.responseHandler);
         });
     });

diff --git a/js/tbl_tracking.js b/js/tbl_tracking.js
@@ -80,10 +80,9 @@ AJAX.registerOnload('tbl_tracking.js', function () {
         $anchor.PMA_confirm(question, $anchor.attr('href'), function (url) {
             PMA_ajaxShowMessage();
             AJAX.source = $anchor;
-            var params = {
-                'ajax_page_request': true,
-                'ajax_request': true
-            };
+            var argSep = PMA_commonParams.get('arg_separator');
+            var params = getJSConfirmCommonParam(this, $anchor.getPostData());
+            params += argSep + 'ajax_page_request=1';
             $.post(url, params, AJAX.responseHandler);
         });
     });
@@ -98,10 +97,9 @@ AJAX.registerOnload('tbl_tracking.js', function () {
         $anchor.PMA_confirm(question, $anchor.attr('href'), function (url) {
             PMA_ajaxShowMessage();
             AJAX.source = $anchor;
-            var params = {
-                'ajax_page_request': true,
-                'ajax_request': true
-            };
+            var argSep = PMA_commonParams.get('arg_separator');
+            var params = getJSConfirmCommonParam(this, $anchor.getPostData());
+            params += argSep + 'ajax_page_request=1';
             $.post(url, params, AJAX.responseHandler);
         });
     });