Fix SQL injection vulnerability in DB deletion

[sql-web.git] / lib / security.lib.php

diff --git a/lib/security.lib.php b/lib/security.lib.php
index eeb44a8842e1af1cdda8476d6de328955f4687c1..1ac28492f3d6fd8dc6f6be2e6026da3cf24e4e86 100644 (file)
--- a/lib/security.lib.php
+++ b/lib/security.lib.php
@@ -392,7 +392,7 @@ function delDB($dbname) {
        $arr['bEnabled'] = 0;
        $sql = sprintf("UPDATE DB SET %s WHERE DB.Name = '%s'",
                                        buildSQLSet($arr),
-                                       $dbname);
+                                       mysql_escape_string($dbname));
        DBUpdate($sql);
 
        return true;