Skip to content
Permalink
Browse files Browse the repository at this point in the history
use prepared statement for creating databases to avoid sql injections…
… in custom db-names

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
  • Loading branch information
d00p committed Oct 11, 2021
1 parent c6f556c commit eb59234
Showing 1 changed file with 4 additions and 1 deletion.
5 changes: 4 additions & 1 deletion lib/Froxlor/Database/Manager/DbManagerMySQL.php
Expand Up @@ -60,7 +60,10 @@ public function __construct(&$log = null)
*/
public function createDatabase($dbname = null)
{
Database::query("CREATE DATABASE `" . $dbname . "`");
$stmt = Database::prepare("CREATE DATABASE :dbname");
Database::pexecute($stmt, [
'dbname' => $dbname
]);
}

/**
Expand Down

0 comments on commit eb59234

Please sign in to comment.