From e094f34bed5ef3fd9a4a3cd08e01ff59a260c730 Mon Sep 17 00:00:00 2001
From: Dieter Adriaenssens <ruleant@users.sourceforge.net>
Date: Fri, 10 Aug 2012 16:04:54 +0200
Subject: [PATCH] [security] properly escape name of newly created table, see
 PMASA-2012-4

---
 tbl_create.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tbl_create.php b/tbl_create.php
index 4d3171ad9..c40238658 100644
--- a/tbl_create.php
+++ b/tbl_create.php
@@ -287,7 +287,9 @@ if (isset($_REQUEST['do_save_data'])) {
             $new_table_string .= '<td align="center"> <input type="checkbox" id="checkbox_tbl_" name="selected_tbl[]" value="'.htmlspecialchars($table).'" /> </td>' . "\n";
 
             $new_table_string .= '<th>';
-            $new_table_string .= '<a href="sql.php' . PMA_generate_common_url($tbl_url_params) . '">'. $table . '</a>';
+            $new_table_string .= '<a href="sql.php'
+                . PMA_generate_common_url($tbl_url_params) . '">'
+                . htmlspecialchars($table) . '</a>';
 
             if (PMA_Tracker::isActive()) {
                 $truename = str_replace(' ', '&nbsp;', htmlspecialchars($table));