Add where_clause check in tbl_get_field.php

Signed-off-by: Maurício Meneghini Fauth <mauricio@fauth.dev>
author: Maurício Meneghini Fauth <mauricio@fauth.dev> 2020-03-05 23:34:49 +0300
committer: Maurício Meneghini Fauth <mauricio@fauth.dev> 2020-03-05 23:34:49 +0300
commit: 6b9b2601d8af916659cde8aefd3a6eaadd10284a (patch)
tree: f7e5485cb9c5d0608d40c1d2a4c697b867f69be9 /tbl_get_field.php
parent: 09c89bab7518dea609f45df15a0cdfcc7dc3f525 (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/tbl_get_field.php b/tbl_get_field.php
index 975102790b..1141fb04d6 100644
--- a/tbl_get_field.php
+++ b/tbl_get_field.php
@@ -38,6 +38,14 @@ if (!$GLOBALS['dbi']->getColumns($db, $table)) {
     PhpMyAdmin\Util::mysqlDie(__('Invalid table name'));
 }
 
+if (! isset($_GET['where_clause'])
+    || ! isset($_GET['where_clause_sign'])
+    || ! Core::checkSqlQuerySignature($_GET['where_clause'], $_GET['where_clause_sign'])
+) {
+    Core::fatalError(__('There is an issue with your request.'));
+    exit;
+}
+
 /* Grab data */
 $sql = 'SELECT ' . PhpMyAdmin\Util::backquote($_GET['transform_key'])
     . ' FROM ' . PhpMyAdmin\Util::backquote($table)
author	Maurício Meneghini Fauth <mauricio@fauth.dev>	2020-03-05 23:34:49 +0300
committer	Maurício Meneghini Fauth <mauricio@fauth.dev>	2020-03-05 23:34:49 +0300
commit	6b9b2601d8af916659cde8aefd3a6eaadd10284a (patch)
tree	f7e5485cb9c5d0608d40c1d2a4c697b867f69be9 /tbl_get_field.php
parent	09c89bab7518dea609f45df15a0cdfcc7dc3f525 (diff)