nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Escape error message coming from MySQL to avoid XSS on bad parameters.

Browse Source
This commit is contained in:
Michal Čihař
2010-08-20 11:35:42 +02:00
parent e7d10a6d53
commit a88dbaf305
2 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
libraries/dbi/mysql.dbi.lib.php
View File

@@ -300,6 +300,8 @@ function PMA_DBI_getError($link = null)
$error_message = PMA_DBI_convert_message($error_message); $error_message = PMA_DBI_convert_message($error_message);
} }
$error_message = htmlspecialchars($error_message);
// Some errors messages cannot be obtained by mysql_error() // Some errors messages cannot be obtained by mysql_error()
if ($error_number == 2002) { if ($error_number == 2002) {
$error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem'];

2
libraries/dbi/mysqli.dbi.lib.php
View File

@@ -417,6 +417,8 @@ function PMA_DBI_getError($link = null)
$error_message = PMA_DBI_convert_message($error_message); $error_message = PMA_DBI_convert_message($error_message);
} }
$error_message = htmlspecialchars($error_message);
if ($error_number == 2002) { if ($error_number == 2002) {
$error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem']; $error = '#' . ((string) $error_number) . ' - ' . $GLOBALS['strServerNotResponding'] . ' ' . $GLOBALS['strSocketProblem'];
} elseif (defined('PMA_MYSQL_INT_VERSION') && PMA_MYSQL_INT_VERSION >= 40100) { } elseif (defined('PMA_MYSQL_INT_VERSION') && PMA_MYSQL_INT_VERSION >= 40100) {