Skip to content
Permalink
Browse files

[security] properly escape name of newly created table, see PMASA-2012-4

  • Loading branch information...
ruleant committed Aug 10, 2012
1 parent ee30668 commit dca22c5046aa16899042592b40a0af7b5c4f1fc7
Showing with 3 additions and 1 deletion.
  1. +3 −1 tbl_create.php
@@ -272,7 +272,9 @@
$new_table_string .= '<td align="center"> <input type="checkbox" id="checkbox_tbl_" name="selected_tbl[]" value="'.htmlspecialchars($table).'" /> </td>' . "\n";
$new_table_string .= '<th>';
$new_table_string .= '<a href="sql.php' . PMA_generate_common_url($tbl_url_params) . '">'. $table . '</a>';
$new_table_string .= '<a href="sql.php'
. PMA_generate_common_url($tbl_url_params) . '">'
. htmlspecialchars($table) . '</a>';
if (PMA_Tracker::isActive()) {
$truename = str_replace(' ', '&nbsp;', htmlspecialchars($table));

0 comments on commit dca22c5

Please sign in to comment.
You can’t perform that action at this time.