From 429b6291252b0a4dd4a6f4a6220f2ad95bd431b1 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Fri, 21 Oct 2005 01:41:31 +0000
Subject: [PATCH] security fix

---
 ChangeLog            | 3 +++
 server_databases.php | 4 ++++
 2 files changed, 7 insertions(+)

diff --git a/ChangeLog b/ChangeLog
index 7755a113f..9f886da74 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@ phpMyAdmin - Changelog
 $Id$
 $Source$
 
+2005-10-20 Marc Delisle  <lem9@users.sourceforge.net>
+    * server_databases.php: security fix
+
 2005-10-20 Alexander M. Turek  <me@derrabus.de>
     * libraries/mysql_charsets.lib.php:
       - On MySQL 5.0.6, we don't have to parse SHOW CREATE DATABASE anymore,
diff --git a/server_databases.php b/server_databases.php
index 0d32917a9..0468e3ad1 100644
--- a/server_databases.php
+++ b/server_databases.php
@@ -134,6 +134,8 @@ foreach ($dblist AS $current_db) {
 // avoids 'undefined index' errors
 if (empty($sort_by)) {
     $sort_by = 'db_name';
+} else {
+    $sort_by = PMA_sanitize($sort_by);
 }
 if (empty($sort_order)) {
     if ($sort_by == 'db_name') {
@@ -141,6 +143,8 @@ if (empty($sort_order)) {
     } else {
         $sort_order = 'desc';
     }
+} else {
+    $sort_order = PMA_sanitize($sort_order);
 }
 
 // sorts the array