diff options
author | Deven Bansod <devenbansod.bits@gmail.com> | 2016-10-29 08:15:12 +0300 |
---|---|---|
committer | Deven Bansod <devenbansod.bits@gmail.com> | 2016-10-29 08:15:12 +0300 |
commit | f14cffdbe700a80b2b1e49f51da8867ac6246a6e (patch) | |
tree | 704ca52377c76ec1fcc1ea2f70d0ec82c2381a95 /db_tracking.php | |
parent | 2fbf09ba2d7b8e75744b4cac2a7325bc68da126a (diff) |
Properly escape strings in MySQL statement values
Use *_real_escape string functions provided by connectors to escape strings while exporting
Fix #12453
Signed-off-by: Deven Bansod <devenbansod.bits@gmail.com>
Conflicts:
libraries/server_privileges.lib.php
Diffstat (limited to 'db_tracking.php')
-rw-r--r-- | db_tracking.php | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/db_tracking.php b/db_tracking.php index ad072fca44..c8f78379dd 100644 --- a/db_tracking.php +++ b/db_tracking.php @@ -114,7 +114,7 @@ $cfgRelation = PMA_getRelationsParam(); $all_tables_query = ' SELECT table_name, MAX(version) as version FROM ' . PMA\libraries\Util::backquote($cfgRelation['db']) . '.' . PMA\libraries\Util::backquote($cfgRelation['tracking']) . - ' WHERE db_name = \'' . PMA\libraries\Util::sqlAddSlashes($_REQUEST['db']) . + ' WHERE db_name = \'' . $GLOBALS['dbi']->escapeString($_REQUEST['db']) . '\' ' . ' GROUP BY table_name' . ' ORDER BY table_name ASC'; |