· 6 years ago · Jan 01, 2020, 06:44 PM
1<?php
2/*
3 * Written By: ShivalWolf
4 * Date: 2011/06/03
5 * Contact: Shivalwolf@domwolf.net
6 *
7 * UPDATE 2011/04/05
8 * The code now returns a real error message on a bad query with the mysql error number and its error message
9 * checks for magic_quotes being enabled and strips slashes if it is. Its best to disable magic quotes still.
10 * Checks to make sure the submitted form is a x-www-form-urlencode just so people dont screw with a browser access or atleast try to
11 * Forces the output filename to be JSON to conform with standards
12 *
13 * UPDATE 2011/06/03
14 * Code updated to use the Web Module instead of tinywebdb
15 *
16 * UPDATE 2013/12/26 and 2014/02/18
17 * minor modifications by Taifun, puravidaapps.com
18 *
19 * UPDATE 2014/07/11
20 * mysql API (deprecated) replaced by mysqli by Taifun
21 *
22 * UPDATE 2015/04/30
23 * SELECT logic adjusted (result stored in temp. file removed) by Taifun
24 *
25 * UPDATE 2016/02/21
26 * Bugfix Undefined variable: csv
27 */
28
29/************************************CONFIG****************************************/
30//DATABSE DETAILS//
31$DB_ADDRESS="remotemysql.com";
32$DB_USER="1figSz3Csv";
33$DB_PASS="BrrkLVjVwF";
34$DB_NAME="1figSz3Csv";
35
36//SETTINGS//
37//This code is something you set in the APP so random people cant use it.
38$SQLKEY="secret";
39
40/************************************CONFIG****************************************/
41
42//these are just in case setting headers forcing it to always expire
43header('Cache-Control: no-cache, must-revalidate');
44
45error_log(print_r($_POST,TRUE));
46
47if( isset($_POST['query']) && isset($_POST['key']) ){ //checks if the tag post is there and if its been a proper form post
48 //set content type to CSV (to be set here to be able to access this page also with a browser)
49 header('Content-type: text/csv');
50
51 if($_POST['key']==$SQLKEY){ //validates the SQL key
52 $query=urldecode($_POST['query']);
53 if(get_magic_quotes_gpc()){ //check if the worthless pile of crap magic quotes is enabled and if it is, strip the slashes from the query
54 $query=stripslashes($query);
55 }
56 $conn = new mysqli($DB_ADDRESS,$DB_USER,$DB_PASS,$DB_NAME); //connect
57
58 if($conn->connect_error){ //checks connection
59 header("HTTP/1.0 400 Bad Request");
60 echo "ERROR Database Connection Failed: " . $conn->connect_error, E_USER_ERROR; //reports a DB connection failure
61 } else {
62
63 $result=$conn->query($query); //runs the posted query
64 if($result === false){
65 header("HTTP/1.0 400 Bad Request"); //sends back a bad request error
66 echo "Wrong SQL: " . $query . " Error: " . $conn->error, E_USER_ERROR; //errors if the query is bad and spits the error back to the client
67 } else {
68 if (strlen(stristr($query,"SELECT"))>0) { //tests if it's a SELECT statement
69 $csv = ''; // bug fix Undefined variable: csv
70 while ($fieldinfo = $result->fetch_field()) {
71 $csv .= $fieldinfo->name.",";
72 }
73 $csv = rtrim($csv, ",")."\n";
74 echo $csv; //prints header row
75 $csv = '';
76
77 $result->data_seek(0);
78 while($row = $result->fetch_assoc()){
79 foreach ($row as $key => $value) {
80 $csv .= $value.",";
81 }
82 $csv = rtrim($csv, ",")."\n";
83 }
84 echo $csv; //prints all data rows
85 } else {
86 header("HTTP/1.0 201 Rows");
87 echo "AFFECTED ROWS: " . $conn->affected_rows; //if the query is anything but a SELECT, it will return the number of affected rows
88 }
89 }
90 $conn->close(); //closes the DB
91 }
92 } else {
93 header("HTTP/1.0 400 Bad Request");
94 echo "Bad Request"; //reports if the secret key was bad
95 }
96} else {
97 header("HTTP/1.0 400 Bad Request");
98 echo "Bad Request";
99}
100?>