diff --git a/ChangeLog b/ChangeLog
index bfb2ce961..a67ee7d05 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -33,6 +33,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 - bug #1826022 [privileges] unable to add user (MySQL 3.23) since PMA 2.11.2
 - bug #1823045 [import] Error importing file with lowercase "delimiter"
 
+2.11.2.1 (not yet released)
+- fixed possible SQL injection using database name
+
 2.11.2.0 (2007-10-27)
 - patch #1791576 HTTP auth: support REDIRECT_REMOTE_USER, thanks to Allard
 + [lang] Serbian update, thanks to Mihailo Stefanovic
diff --git a/server_privileges.php b/server_privileges.php
index 54856e267..6681d833f 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -1993,7 +1993,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
     $sql_query =
         '(SELECT ' . $list_of_privileges . ', `Db`'
         .' FROM `mysql`.`db`'
-        .' WHERE \'' . $checkprivs . "'"
+        .' WHERE \'' . PMA_sqlAddslashes($checkprivs) . "'"
         .' LIKE `Db`'
         .' AND NOT (' . $list_of_compared_privileges. ')) '
         .'UNION '