From 7ebe311433e7396e0623ac6f00fe48d095d2edb7 Mon Sep 17 00:00:00 2001
From: Herman van Rink <rink@initfour.nl>
Date: Tue, 26 Apr 2011 16:28:50 +0200
Subject: [PATCH] Add missing PMA_sqlAddslashes to $initial parameter

Security risk is low since a valid token is required to use this.
---
 server_privileges.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/server_privileges.php b/server_privileges.php
index 44e9be74d..3be2353d4 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -117,8 +117,8 @@ function PMA_RangeOfUsers($initial = '')
     // strtolower() is used because the User field
     // might be BINARY, so LIKE would be case sensitive
     if (!empty($initial)) {
-        $ret = " WHERE `User` LIKE '" . $initial . "%'"
-            . " OR `User` LIKE '" . strtolower($initial) . "%'";
+        $ret = " WHERE `User` LIKE '" . PMA_sqlAddslashes($initial) . "%'"
+            . " OR `User` LIKE '" . PMA_sqlAddslashes(strtolower($initial)) . "%'";
     } else {
         $ret = '';
     }