Fix SQL injection vulnerability in DB deletion

author Alex Dehnert <adehnert@mit.edu>

Sat, 19 Mar 2011 08:01:07 +0000 (08:01 +0000)

committer Alex Dehnert <adehnert@mit.edu>

Sat, 19 Mar 2011 08:01:07 +0000 (08:01 +0000)
author Alex Dehnert <adehnert@mit.edu>
Sat, 19 Mar 2011 08:01:07 +0000 (08:01 +0000)
committer Alex Dehnert <adehnert@mit.edu>
Sat, 19 Mar 2011 08:01:07 +0000 (08:01 +0000)
diff --git a/lib/security.lib.php b/lib/security.lib.php

index eeb44a8842e1af1cdda8476d6de328955f4687c1..1ac28492f3d6fd8dc6f6be2e6026da3cf24e4e86 100644 (file)
--- a/lib/security.lib.php
+++ b/lib/security.lib.php
@@ -392,7 +392,7 @@ function delDB($dbname) {
         $arr['bEnabled'] = 0;
         $sql = sprintf("UPDATE DB SET %s WHERE DB.Name = '%s'",
                                         buildSQLSet($arr),
-                                       $dbname);
+                                       mysql_escape_string($dbname));
         DBUpdate($sql);
  
         return true;
author	Alex Dehnert <adehnert@mit.edu>
	Sat, 19 Mar 2011 08:01:07 +0000 (08:01 +0000)
committer	Alex Dehnert <adehnert@mit.edu>
	Sat, 19 Mar 2011 08:01:07 +0000 (08:01 +0000)