From 9d60d0266419441d6fb789d61ba5a464386661f9 Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Mon, 22 May 2017 10:25:18 +0200
Subject: [PATCH 01/10] Added REST API

---
 sql-executioner.php | 54 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/sql-executioner.php b/sql-executioner.php
index 07d6508..74d53d4 100644
--- a/sql-executioner.php
+++ b/sql-executioner.php
@@ -36,6 +36,7 @@ public function __construct() {
 
 		add_action( 'admin_init', array( $this, 'register_scripts') );
 		add_action( 'admin_menu', array( $this, 'add_admin_menu' ) );
+		add_action( 'rest_api_init', array( $this, 'rest_api_init' ) );
 
 		// set up our own db connection so as to not interfer with WordPress'
 		$this->db = mysqli_connect( DB_HOST, DB_USER, DB_PASSWORD, DB_NAME );
@@ -121,4 +122,57 @@ public static function str_putcsv($input, $delimiter = ',', $enclosure = '"') {
 		fclose( $fp );
 		return $data;
 	}
+
+	public static function rest_api_init() {
+		$namespace = 'sql-executioner/v1';
+
+		register_rest_route($namespace,
+			'/result',
+			array(
+				array(
+					'methods' => WP_REST_Server::CREATABLE,
+					'callback' => array( $this, 'rest_api_execute' ),
+				),
+			)
+		);
+	}
+
+	public static function rest_api_execute( WP_REST_Request $request ) {
+		$json = $request->get_json_params();
+		$sql = $json['sql'];
+		$hmac = $json['hmac'];
+
+		if ( !defined('SQLEXECUTIONER_KEY') ) {
+			return new WP_Error( 'rest_disabled', __( 'No access key is defined' ), array( 'status' => 403 ) );
+		}
+
+		$expected_hmac = hash_hmac('sha256', $sql, SQLEXECUTIONER_KEY);
+		if ( $expected_hmac !== $hmac ) {
+			return new WP_Error( 'rest_invalid_hmac', __( 'Specified HMAC did not match' ), array( 'status' => 403 ) );
+		}
+
+		$results = array();
+		$results['rows'] = array();
+		$results['sql'] = $sql;
+
+		if ( $rst = mysqli_query( $this->db, $sql ) ) {
+
+			if ( preg_match( "/^\s*(alter|create|drop|rename|insert|delete|update|replace|truncate) /i", $sql ) ) {
+				$results['affected_rows'] = mysqli_affected_rows( $this->db );
+			} else {
+				$first = true;
+				while ( $row = mysqli_fetch_assoc( $rst ) ) {
+					if ( $first ) {
+						$results['rows'][] = array_keys( $row );
+						$first = false;
+					}
+					$results['rows'][] = array_values( $row );
+				}
+			}
+		} else {
+			$results['error'] = mysqli_error( $this->db );
+		}
+
+		return $results;
+	}
 }

From af2228f9827b57ce99f77bba0e7342f5bdf1ac6e Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Mon, 22 May 2017 11:27:30 +0200
Subject: [PATCH 02/10] Add insert_id

---
 sql-executioner.php | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/sql-executioner.php b/sql-executioner.php
index 74d53d4..c8ea039 100644
--- a/sql-executioner.php
+++ b/sql-executioner.php
@@ -169,6 +169,8 @@ public static function rest_api_execute( WP_REST_Request $request ) {
 					$results['rows'][] = array_values( $row );
 				}
 			}
+
+                        $results['insert_id'] = mysqli_insert_id( $this->db );
 		} else {
 			$results['error'] = mysqli_error( $this->db );
 		}

From 10d9d3c647fdf0e576c48c94d26f173eb9e338b9 Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Mon, 22 May 2017 11:49:43 +0200
Subject: [PATCH 03/10] Forward metadata

---
 sql-executioner.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sql-executioner.php b/sql-executioner.php
index c8ea039..3940a49 100644
--- a/sql-executioner.php
+++ b/sql-executioner.php
@@ -170,6 +170,7 @@ public static function rest_api_execute( WP_REST_Request $request ) {
 				}
 			}
 
+                        $results['columns'] = mysqli_fetch_fields( $rst );
                         $results['insert_id'] = mysqli_insert_id( $this->db );
 		} else {
 			$results['error'] = mysqli_error( $this->db );

From de1351156e8e02504d898eb5246b372bf58c80d6 Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Mon, 22 May 2017 12:26:32 +0200
Subject: [PATCH 04/10] Only add meta info for SELECT

---
 sql-executioner.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sql-executioner.php b/sql-executioner.php
index 3940a49..c66126b 100644
--- a/sql-executioner.php
+++ b/sql-executioner.php
@@ -168,10 +168,10 @@ public static function rest_api_execute( WP_REST_Request $request ) {
 					}
 					$results['rows'][] = array_values( $row );
 				}
+				$results['columns'] = mysqli_fetch_fields( $rst );
 			}
 
-                        $results['columns'] = mysqli_fetch_fields( $rst );
-                        $results['insert_id'] = mysqli_insert_id( $this->db );
+			$results['insert_id'] = mysqli_insert_id( $this->db );
 		} else {
 			$results['error'] = mysqli_error( $this->db );
 		}

From 33b38edc3a12c26893894121b7321d857eb5ea10 Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Mon, 22 May 2017 12:37:55 +0200
Subject: [PATCH 05/10] Updated readme

---
 readme.txt | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/readme.txt b/readme.txt
index c23cfe0..ca5d976 100644
--- a/readme.txt
+++ b/readme.txt
@@ -29,6 +29,26 @@ https://github.com/justincwatt/wp-sql-executioner
 Extract the zip file, drop the sql-executioner folder in your wp-content/plugins/ 
 directory, and then activate from the Plugins page.
 
+== REST API ==
+
+To enable API access to your SQL database, add a line to `wp-config.php`:
+```
+define('SQLEXECUTIONER_KEY', '<your secret key goes here>');
+```
+
+This will activate an API endpoint at
+```
+/wp-json/sql-executioner/v1/result
+```
+which accepts JSON-formatted SQL queries like this:
+```sh
+wget -O - --header='Content-Type: application/json' --post-data='{"sql": "SELECT 1;", "hmac": "<HMAC goes here>"}' 'http://your-domain.com/wp-json/sql-executioner/v1/result'
+```
+and the HMAC is computed as
+```php
+$hmac = hash_hmac('sha256', $sql, SQLEXECUTIONER_KEY);
+```
+
 == Frequently Asked Questions ==
 
 = Does this plugin have any undo? =

From f055c262ecb34049459c7491d804b956124d6eb8 Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Mon, 22 May 2017 17:45:25 +0200
Subject: [PATCH 06/10] Set default charset

---
 sql-executioner.php | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sql-executioner.php b/sql-executioner.php
index c66126b..4734c10 100644
--- a/sql-executioner.php
+++ b/sql-executioner.php
@@ -40,6 +40,7 @@ public function __construct() {
 
 		// set up our own db connection so as to not interfer with WordPress'
 		$this->db = mysqli_connect( DB_HOST, DB_USER, DB_PASSWORD, DB_NAME );
+                mysqli_set_charset ( $this->db , 'utf8' );
 
 		// get list of tables and create dollar-sign shortcuts
 		$rst = mysqli_query( $this->db, "show tables" );

From 7bd4a8c3e60e9181184b2561b719d4c1fb1577d4 Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Wed, 24 May 2017 10:39:16 +0200
Subject: [PATCH 07/10] Prevent replay attacks

---
 readme.txt          | 22 ++++++++++------------
 sql-executioner.php |  7 ++++++-
 2 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/readme.txt b/readme.txt
index ca5d976..2ccb7c5 100644
--- a/readme.txt
+++ b/readme.txt
@@ -32,22 +32,20 @@ directory, and then activate from the Plugins page.
 == REST API ==
 
 To enable API access to your SQL database, add a line to `wp-config.php`:
-```
-define('SQLEXECUTIONER_KEY', '<your secret key goes here>');
-```
+
+  define('SQLEXECUTIONER_KEY', '<your secret key goes here>');
 
 This will activate an API endpoint at
-```
-/wp-json/sql-executioner/v1/result
-```
+
+  /wp-json/sql-executioner/v1/result
+
 which accepts JSON-formatted SQL queries like this:
-```sh
-wget -O - --header='Content-Type: application/json' --post-data='{"sql": "SELECT 1;", "hmac": "<HMAC goes here>"}' 'http://your-domain.com/wp-json/sql-executioner/v1/result'
-```
+
+  wget -O - --header='Content-Type: application/json' --post-data='{"sql": "SELECT 1;", "time": <seconds since 1970 go here>, "hmac": "<HMAC goes here>"}' 'http://your-domain.com/wp-json/sql-executioner/v1/result'
+
 and the HMAC is computed as
-```php
-$hmac = hash_hmac('sha256', $sql, SQLEXECUTIONER_KEY);
-```
+
+  $hmac = hash_hmac('sha256', time() . ":" . $sql, SQLEXECUTIONER_KEY);
 
 == Frequently Asked Questions ==
 
diff --git a/sql-executioner.php b/sql-executioner.php
index 4734c10..984015a 100644
--- a/sql-executioner.php
+++ b/sql-executioner.php
@@ -142,12 +142,17 @@ public static function rest_api_execute( WP_REST_Request $request ) {
 		$json = $request->get_json_params();
 		$sql = $json['sql'];
 		$hmac = $json['hmac'];
+		$timestamp = $json['time'];
 
 		if ( !defined('SQLEXECUTIONER_KEY') ) {
 			return new WP_Error( 'rest_disabled', __( 'No access key is defined' ), array( 'status' => 403 ) );
 		}
 
-		$expected_hmac = hash_hmac('sha256', $sql, SQLEXECUTIONER_KEY);
+		if ( $timestamp < time() - 30 ) {
+			return new WP_Error( 'rest_invalid_hmac', __( 'Timestamp for HMAC too old' ), array( 'status' => 403 ) );
+		}
+
+		$expected_hmac = hash_hmac('sha256', $timestamp . ":" . $sql, SQLEXECUTIONER_KEY);
 		if ( $expected_hmac !== $hmac ) {
 			return new WP_Error( 'rest_invalid_hmac', __( 'Specified HMAC did not match' ), array( 'status' => 403 ) );
 		}

From fb39d73ef8ce480f242f16107d1070133a1446a9 Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Wed, 24 May 2017 10:40:14 +0200
Subject: [PATCH 08/10] I contributed now, I guess

---
 readme.txt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/readme.txt b/readme.txt
index 2ccb7c5..122954e 100644
--- a/readme.txt
+++ b/readme.txt
@@ -1,5 +1,5 @@
 === SQL Executioner ===
-Contributors: justincwatt, olarmarius
+Contributors: justincwatt, olarmarius, drahflow
 Donate link: http://justinsomnia.org/2008/02/the-wordpress-sql-executioner/
 Tags: phpMyAdmin, MySQL, query, SQL, DBA, database, database administration, admin, CSV
 Requires at least: 3.0

From 9b222e8f079b919d975cdf58e731cff4f6e9b1cd Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Wed, 24 May 2017 13:59:05 +0200
Subject: [PATCH 09/10] Don't put static on instance functions

---
 sql-executioner.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sql-executioner.php b/sql-executioner.php
index 984015a..e57725a 100644
--- a/sql-executioner.php
+++ b/sql-executioner.php
@@ -124,7 +124,7 @@ public static function str_putcsv($input, $delimiter = ',', $enclosure = '"') {
 		return $data;
 	}
 
-	public static function rest_api_init() {
+	public function rest_api_init() {
 		$namespace = 'sql-executioner/v1';
 
 		register_rest_route($namespace,
@@ -138,7 +138,7 @@ public static function rest_api_init() {
 		);
 	}
 
-	public static function rest_api_execute( WP_REST_Request $request ) {
+	public function rest_api_execute( WP_REST_Request $request ) {
 		$json = $request->get_json_params();
 		$sql = $json['sql'];
 		$hmac = $json['hmac'];

From a0c43d901c97766b6114adc1aba472355ad4046a Mon Sep 17 00:00:00 2001
From: Drahflow <drahflow@gmx.de>
Date: Thu, 24 Aug 2017 13:41:15 +0200
Subject: [PATCH 10/10] Mark modifications also for wordpress

---
 sql-executioner.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sql-executioner.php b/sql-executioner.php
index e57725a..0eeb1dc 100644
--- a/sql-executioner.php
+++ b/sql-executioner.php
@@ -2,9 +2,9 @@
 /*
 Plugin Name: SQL Executioner
 Version: 1.4
-Plugin URI: http://justinsomnia.org/2008/02/the-wordpress-sql-executioner/
+Plugin URI: https://github.com/Drahflow/wp-sql-executioner
 Description: Execute SQL commands on your WordPress database. Goto <a href="tools.php?page=sql-executioner">Tools &gt; SQL Executioner</a> to operate.
-Author: Justin Watt
+Author: Justin Watt, modified by Drahflow
 Author URI: http://justinsomnia.org/
 
 LICENSE