From d35c14a0a9126353971878cc3a34cb1764fb49fd Mon Sep 17 00:00:00 2001
From: Sebastian Mendel <cybot_tm@users.sourceforge.net>
Date: Fri, 9 Nov 2007 07:41:47 +0000
Subject: fixed possible SQL injection using database name

---
 server_privileges.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'server_privileges.php')

diff --git a/server_privileges.php b/server_privileges.php
index 012a8d15d7..23d174b986 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -2033,7 +2033,7 @@ if (empty($adduser) && (! isset($checkprivs) || ! strlen($checkprivs))) {
             .   PMA_convert_using('`Db`') . ' AS `Db`, '
             .   $list_of_privileges
             .' FROM `mysql`.`db`'
-            .' WHERE ' . PMA_convert_using($checkprivs, 'quoted')
+            .' WHERE ' . PMA_convert_using(PMA_sqlAddslashes($checkprivs), 'quoted')
             .' LIKE ' . PMA_convert_using('`Db`')
             .' AND NOT (' . $list_of_compared_privileges. ')) '
             .'UNION '
-- 
cgit v1.2.3