Fix CSRF vulnerabilities

[sql-web.git] / lib / proc.lib.php

diff --git a/lib/proc.lib.php b/lib/proc.lib.php
index adf8252858526148ef4176df1ad06dbf914bdc19..2a07094d49ca807f2ae7d35736244611a1c93b75 100644 (file)
--- a/lib/proc.lib.php
+++ b/lib/proc.lib.php
@@ -16,7 +16,7 @@ class proc {
                $dbname = $uname.DELIMETER.$i_newdb;
                if ($User->isOverQuota() && !isAdmin()) {
                        $err1[] = 'You are over your quota. You may not add more databases.';
-               } elseif (count($User->getDBList())>MAXDBS && !isAdmin()) {
+               } elseif (count($User->getDBList())>=$User->getDBQuotaHard() && !isAdmin()) {
                        $err1[] = 'You have too many databases. You may not add more databases.';
                } elseif (empty($i_newdb)) {
                        $err1[] = 'Your database name may not be empty.';
@@ -27,7 +27,7 @@ class proc {
                                $err1[] = 'Database already exists.';
                        }
                } else {
-                       $msg1[] = 'Database `'.$dbname.'` created.';
+                       $msg1[] = 'Database `'.htmlentities($dbname).'` created.';
                }
                $i_newdb = $dbname;
                return array($msg1, $err1);
@@ -37,7 +37,7 @@ class proc {
                $dropdbs = array_keys($i_drop);
                foreach($dropdbs as $dbname) {
                        if ($User->delDB($dbname)) {
-                               $msg1[] = 'Database `'.$dbname.'` dropped.';
+                               $msg1[] = 'Database `'.htmlentities($dbname).'` dropped.';
                        } else {
                                $err1[] = mysql_error();
                        }