maketank/Froxlor
2
0
Fork 0
Code Pull Requests Releases Activity

use prepared statement for creating databases to avoid sql injections in custom db-names

Browse Source 
Signed-off-by: Michael Kaufmann <d00p@froxlor.org>
This commit is contained in:
Michael Kaufmann
2021-10-11 18:33:48 +02:00
parent c6f556c8d9
commit eb592340b0
1 changed files with 4 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/Froxlor/Database/Manager/DbManagerMySQL.php
View File

@@ -60,7 +60,10 @@ class DbManagerMySQL
*/ */
public function createDatabase($dbname = null) public function createDatabase($dbname = null)
{ {
Database::query("CREATE DATABASE `" . $dbname . "`"); $stmt = Database::prepare("CREATE DATABASE :dbname");
Database::pexecute($stmt, [
'dbname' => $dbname
]);
} }
/** /**