nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fixed possible SQL injection using database name

Browse Source
This commit is contained in:
Sebastian Mendel
2007-11-09 07:41:47 +00:00
parent 1701c0c922
commit d35c14a0a9
2 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog
View File

@@ -19,6 +19,9 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
- bug #1826022 [privileges] unable to add user (MySQL 3.23) since PMA 2.11.2
- bug #1823045 [import] Error importing file with lowercase "delimiter"
2.11.2.1 (not yet released)
- fixed possible SQL injection using database name
2.11.2.0 (2007-10-27)
- patch #1791576 HTTP auth: support REDIRECT_REMOTE_USER, thanks to Allard
+ [lang] Serbian update, thanks to Mihailo Stefanovic

2
server_privileges.php
View File

@@ -2033,7 +2033,7 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) {
. PMA_convert_using('`Db`') . ' AS `Db`, '
. $list_of_privileges
.' FROM `mysql`.`db`'
.' WHERE ' . PMA_convert_using($checkprivs, 'quoted')
.' WHERE ' . PMA_convert_using(PMA_sqlAddslashes($checkprivs), 'quoted')
.' LIKE ' . PMA_convert_using('`Db`')
.' AND NOT (' . $list_of_compared_privileges. ')) '
.'UNION '