nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[security] properly escape name of newly created table, see PMASA-2012-4

Browse Source
This commit is contained in:
Dieter Adriaenssens
2012-08-10 16:04:54 +02:00
parent d84b98d340
commit e094f34bed
1 changed files with 3 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
tbl_create.php
View File

@@ -287,7 +287,9 @@ if (isset($_REQUEST['do_save_data'])) {
$new_table_string .= '<td align="center"> <input type="checkbox" id="checkbox_tbl_" name="selected_tbl[]" value="'.htmlspecialchars($table).'" /> </td>' . "\n"; $new_table_string .= '<td align="center"> <input type="checkbox" id="checkbox_tbl_" name="selected_tbl[]" value="'.htmlspecialchars($table).'" /> </td>' . "\n";
$new_table_string .= '<th>'; $new_table_string .= '<th>';
$new_table_string .= '<a href="sql.php' . PMA_generate_common_url($tbl_url_params) . '">'. $table . '</a>'; $new_table_string .= '<a href="sql.php'
. PMA_generate_common_url($tbl_url_params) . '">'
. htmlspecialchars($table) . '</a>';
if (PMA_Tracker::isActive()) { if (PMA_Tracker::isActive()) {
$truename = str_replace(' ', '&nbsp;', htmlspecialchars($table)); $truename = str_replace(' ', '&nbsp;', htmlspecialchars($table));