]> andersk Git - sql-web.git/blobdiff - lib/proc.lib.php
andersk / sql-web.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix XSS vulnerabilities
[sql-web.git] / lib / proc.lib.php
diff --git a/lib/proc.lib.php b/lib/proc.lib.php
index 55a3d8f8daa2805af7bd5a06be5de20f176750e5..2a07094d49ca807f2ae7d35736244611a1c93b75 100644 (file)
--- a/lib/proc.lib.php
+++ b/lib/proc.lib.php
@@ -1,16 +1,22 @@
 <?php
+/*
+       (c) 2005 Joe Presbrey
+*/
 
 require_once('mitsql.lib.php');
 
 define('MAXDBS', 20);
 
 class proc {
-       static function newdb(&$User, $i_newdb) {
+       static function newdb(&$User, &$i_newdb) {
+               // return through $i_newdb the full name of the created db
                $msg1 = $err1 = array();
-               $dbname = $User->getUsername().DELIMETER.$i_newdb;
-               if ($User->isOverQuota()) {
+               $uname = $User->getUsername();
+               $uname = str_replace('.','',$uname);
+               $dbname = $uname.DELIMETER.$i_newdb;
+               if ($User->isOverQuota() && !isAdmin()) {
                        $err1[] = 'You are over your quota. You may not add more databases.';
-               } elseif (count($User->getDBList())>MAXDBS) {
+               } elseif (count($User->getDBList())>=$User->getDBQuotaHard() && !isAdmin()) {
                        $err1[] = 'You have too many databases. You may not add more databases.';
                } elseif (empty($i_newdb)) {
                        $err1[] = 'Your database name may not be empty.';
@@ -21,8 +27,9 @@ class proc {
                                $err1[] = 'Database already exists.';
                        }
                } else {
-                       $msg1[] = 'Database `'.$dbname.'` created.';
+                       $msg1[] = 'Database `'.htmlentities($dbname).'` created.';
                }
+               $i_newdb = $dbname;
                return array($msg1, $err1);
        }
        static function drop(&$User, $i_drop) {
@@ -30,7 +37,7 @@ class proc {
                $dropdbs = array_keys($i_drop);
                foreach($dropdbs as $dbname) {
                        if ($User->delDB($dbname)) {
-                               $msg1[] = 'Database `'.$dbname.'` dropped.';
+                               $msg1[] = 'Database `'.htmlentities($dbname).'` dropped.';
                        } else {
                                $err1[] = mysql_error();
                        }
Unnamed repository; edit this file 'description' to name the repository.
This page took 0.957852 seconds and 4 git commands to generate.