diff options
author | Isaac Bennetch <bennetch@gmail.com> | 2020-03-21 01:21:05 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-03-21 01:21:05 +0300 |
commit | 155f3b2b4117b08df9dc4fc8eae9f1054c9d9c1e (patch) | |
tree | 46e25b6dbb69a76e2d000b619cfff593bfbb91b3 /libraries | |
parent | 9ce61ea0e59a98147c156dd170cc0f8b95a7daaa (diff) | |
parent | a8acd7a42cf743186528b0453f90aaa32bfefabe (diff) |
Merge pull request #297 from phpmyadmin/security/296
SQL Injection in SearchController
Diffstat (limited to 'libraries')
-rw-r--r-- | libraries/classes/Controllers/Table/TableSearchController.php | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libraries/classes/Controllers/Table/TableSearchController.php b/libraries/classes/Controllers/Table/TableSearchController.php index 90f945f0d4..16ed3fe1fd 100644 --- a/libraries/classes/Controllers/Table/TableSearchController.php +++ b/libraries/classes/Controllers/Table/TableSearchController.php @@ -420,8 +420,8 @@ class TableSearchController extends TableController public function getDataRowAction() { $extra_data = array(); - $row_info_query = 'SELECT * FROM `' . $_POST['db'] . '`.`' - . $_POST['table'] . '` WHERE ' . $_POST['where_clause']; + $row_info_query = 'SELECT * FROM ' . Util::backquote($_POST['db']) . '.' + . Util::backquote($_POST['table']) . ' WHERE ' . $_POST['where_clause']; $result = $this->dbi->query( $row_info_query . ";", DatabaseInterface::CONNECT_USER, |