diff --git a/ChangeLog b/ChangeLog
index 7755a113f203..9f886da74325 100755
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,9 @@ phpMyAdmin - Changelog
 $Id$
 $Source$
 
+2005-10-20 Marc Delisle  <lem9@users.sourceforge.net>
+    * server_databases.php: security fix
+
 2005-10-20 Alexander M. Turek  <me@derrabus.de>
     * libraries/mysql_charsets.lib.php:
       - On MySQL 5.0.6, we don't have to parse SHOW CREATE DATABASE anymore,
diff --git a/server_databases.php b/server_databases.php
index 0d32917a983d..0468e3ad128b 100644
--- a/server_databases.php
+++ b/server_databases.php
@@ -134,6 +134,8 @@ function PMA_dbCmp($a, $b)
 // avoids 'undefined index' errors
 if (empty($sort_by)) {
     $sort_by = 'db_name';
+} else {
+    $sort_by = PMA_sanitize($sort_by);
 }
 if (empty($sort_order)) {
     if ($sort_by == 'db_name') {
@@ -141,6 +143,8 @@ function PMA_dbCmp($a, $b)
     } else {
         $sort_order = 'desc';
     }
+} else {
+    $sort_order = PMA_sanitize($sort_order);
 }
 
 // sorts the array