use prepared statement for creating databases to avoid sql injections in custom db-names

Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
2021-10-11 18:33:48 +02:00
parent c6f556c8d9
commit eb592340b0
1 changed files with 4 additions and 1 deletions
--- a/lib/Froxlor/Database/Manager/DbManagerMySQL.php
+++ b/lib/Froxlor/Database/Manager/DbManagerMySQL.php
@@ -60,7 +60,10 @@ class DbManagerMySQL
 	 */
 	public function createDatabase($dbname = null)
 	{
-		Database::query("CREATE DATABASE `" . $dbname . "`");
+		$stmt = Database::prepare("CREATE DATABASE :dbname");
+		Database::pexecute($stmt, [
+			'dbname' => $dbname
+		]);
 	}

 	/**