nettika/phpmyadmin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improved escaping, thanks to Herman van Rink

Browse Source
This commit is contained in:
Marc Delisle
2009-10-12 21:53:01 +00:00
parent 8ec5434999
commit e22d2204e5
1 changed files with 9 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
server_privileges.php
View File

@@ -373,7 +373,7 @@ function PMA_displayPrivTable($db = '*', $table = '*', $submit = TRUE)
.' AND `Host`' .' AND `Host`'
.' = \'' . PMA_sqlAddslashes($hostname) . "'" .' = \'' . PMA_sqlAddslashes($hostname) . "'"
.' AND `Db`' .' AND `Db`'
.' = \'' . PMA_unescape_mysql_wildcards($db) . "'" .' = \'' . PMA_sqlAddslashes(PMA_unescape_mysql_wildcards($db)) . "'"
.' AND `Table_name`' .' AND `Table_name`'
.' = \'' . PMA_sqlAddslashes($table) . '\';'); .' = \'' . PMA_sqlAddslashes($table) . '\';');
@@ -1026,11 +1026,11 @@ if (isset($_REQUEST['change_copy'])) {
.' WHERE `User`' .' WHERE `User`'
.' = \'' . PMA_sqlAddslashes($old_username) . "'" .' = \'' . PMA_sqlAddslashes($old_username) . "'"
.' AND `Host`' .' AND `Host`'
.' = \'' . $old_hostname . '\'' .' = \'' . PMA_sqlAddslashes($old_hostname) . '\''
.' AND `Db`' .' AND `Db`'
.' = \'' . $row['Db'] . "'" .' = \'' . PMA_sqlAddslashes($row['Db']) . "'"
.' AND `Table_name`' .' AND `Table_name`'
.' = \'' . $row['Table_name'] . "'" .' = \'' . PMA_sqlAddslashes($row['Table_name']) . "'"
.';', .';',
null, PMA_DBI_QUERY_STORE); null, PMA_DBI_QUERY_STORE);
@@ -1690,8 +1690,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
if (in_array($table_search_in, $tables)) { if (in_array($table_search_in, $tables)) {
$db_rights_sqls[] = ' $db_rights_sqls[] = '
SELECT DISTINCT `Db` SELECT DISTINCT `Db`
FROM `mysql`.`' . $table_search_in . '` FROM `mysql`.' . PMA_backquote($table_search_in)
' . $user_host_condition; . $user_host_condition;
} }
} }
@@ -1747,7 +1747,7 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
$user_host_condition .= $user_host_condition .=
' AND `Db`' ' AND `Db`'
.' LIKE \'' . $dbname . "'"; .' LIKE \'' . PMA_sqlAddslashes($dbname) . "'";
$tables_to_search_for_users = array( $tables_to_search_for_users = array(
'columns_priv', 'columns_priv',
@@ -1758,8 +1758,8 @@ if (empty($_REQUEST['adduser']) && (! isset($checkprivs) || ! strlen($checkprivs
if (in_array($table_search_in, $tables)) { if (in_array($table_search_in, $tables)) {
$db_rights_sqls[] = ' $db_rights_sqls[] = '
SELECT DISTINCT `Table_name` SELECT DISTINCT `Table_name`
FROM `mysql`.`' . $table_search_in . '` FROM `mysql`.' . PMA_backquote($table_search_in)
' . $user_host_condition; . $user_host_condition;
} }
} }