20 Aug
2010
20 Aug
'10
3:06 p.m.
The branch, QA_2_11 has been updated
via c1865ca7b863bd919b91313806ea47570de8347c (commit)
via b1cb5590eefd2977bdb3a6e45796d5a4189e95ad (commit)
via 437e00ef2eec5fbc743f652c93d90b3853dcf825 (commit)
via a88dbaf305a44107ffb557e9d93512792744af84 (commit)
via e7d10a6d53582abcf20455ad0051048a991023af (commit)
via 2051a861f8a968dafc297650036cc7e640a18887 (commit)
via 0fd0512c9b7344abad60ab9effb7b7537b2b5d08 (commit)
via 4a50055d52cb1d6ba125b743b0eb422d5549b9c9 (commit)
via 30c83acddb58d3bbf940b5f9ec28abf5b235f4d2 (commit)
via a7c004d8d4069ca3c7d1c221f37b9cab39e36aaf (commit)
via 8b7f07cd954221f276ab11e2c3d98f18deb2f551 (commit)
via 1fe1aa6c0e2d85bed1343f4be21d672368e0a9c1 (commit)
via 8b8ce64792bb981cefc37a19f29f28f112df1c16 (commit)
via 0fe30236fac3c00ff123b9d48cc0b4b2ff6a7746 (commit)
via a4a54da173440d4c5097aececef56c28c14dc52e (commit)
via c69fca50ee81ff74cda860aad339d4185d32e194 (commit)
via c910f4c9ec9af876675d96df3fa65d7fc4551cc6 (commit)
via 08e27b89077df26a0f7f0390322bbe80e0437aa1 (commit)
via 110c44a7a3117b94b065742606cc6f7bc05f8cd5 (commit)
via 4951fd1c854d88e22935fd55d342fcb1670dc8e4 (commit)
from 8ae41bbc0238581d5e0e692e4dc67e35ded00170 (commit)
- Log -----------------------------------------------------------------
commit c1865ca7b863bd919b91313806ea47570de8347c
Merge: 8ae41bbc0238581d5e0e692e4dc67e35ded00170 b1cb5590eefd2977bdb3a6e45796d5a4189e95ad
Author: Michal Čihař <mcihar(a)novell.com>
Date: Fri Aug 20 13:32:34 2010 +0200
Merge branch 'MAINT_2_11_10' into QA_2_11
Conflicts:
ChangeLog
Documentation.html
README
libraries/Config.class.php
translators.html
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 5 +++++
db_sql.php | 2 +-
error.php | 10 +++++++---
libraries/common.lib.php | 9 +++++----
libraries/database_interface.lib.php | 4 ++++
libraries/dbi/mysql.dbi.lib.php | 2 ++
libraries/dbi/mysqli.dbi.lib.php | 2 ++
libraries/sanitizing.lib.php | 17 +++++++++++++++--
libraries/sqlparser.lib.php | 2 +-
scripts/setup.php | 1 +
server_databases.php | 6 +++---
server_privileges.php | 32 ++++++++++++++++----------------
sql.php | 14 +++++++-------
tbl_sql.php | 2 +-
14 files changed, 70 insertions(+), 38 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 34d1338..72d2cbc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -8,6 +8,11 @@ $HeadURL:
https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
2.11.11.0 (not yet released)
- [core] Fix broken cleanup of $_GET
+2.11.10.1 (2010-08-20)
+- [setup] Fixed output sanitizing in setup script, see PMASA-2010-4 for
+ more details.
+- [core] Fixed various XSS issues, see PMASA-2010-5 for more details.
+
2.11.10.0 (2009-12-07)
- [core] safer handling of temporary files with open_basedir (thanks to Thijs
Kinkhorst)
diff --git a/db_sql.php b/db_sql.php
index 6c582c3..32d30e4 100644
--- a/db_sql.php
+++ b/db_sql.php
@@ -36,7 +36,7 @@ if ($num_tables == 0 && empty($db_query_force)) {
/**
* Query box, bookmark, insert data from textfile
*/
-PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ?
$_REQUEST['delimiter'] : ';');
+PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ?
htmlspecialchars($_REQUEST['delimiter']) : ';');
/**
* Displays the footer
diff --git a/error.php b/error.php
index e0abb44..750ac60 100644
--- a/error.php
+++ b/error.php
@@ -73,10 +73,14 @@ header('Content-Type: text/html; charset=' . $charset);
<body>
<h1>phpMyAdmin - <?php echo $type; ?></h1>
<p><?php
-if (function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc()) {
- echo PMA_sanitize(stripslashes($_REQUEST['error']));
+if (!empty($_REQUEST['error'])) {
+ if (function_exists('get_magic_quotes_gpc') &&
get_magic_quotes_gpc()) {
+ echo PMA_sanitize(stripslashes($_REQUEST['error']));
+ } else {
+ echo PMA_sanitize($_REQUEST['error']);
+ }
} else {
- echo PMA_sanitize($_REQUEST['error']);
+ echo 'No error message!';
}
?></p>
</body>
diff --git a/libraries/common.lib.php b/libraries/common.lib.php
index 626bbe3..716af94 100644
--- a/libraries/common.lib.php
+++ b/libraries/common.lib.php
@@ -473,7 +473,7 @@ function PMA_mysqlDie($error_message = '', $the_query =
'',
$formatted_sql = '';
} else {
if (strlen($the_query) >
$GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) {
- $formatted_sql = substr($the_query, 0,
$GLOBALS['cfg']['MaxCharactersInDisplayedSQL']) . '[...]';
+ $formatted_sql = htmlspecialchars(substr($the_query, 0,
$GLOBALS['cfg']['MaxCharactersInDisplayedSQL'])) . '[...]';
} else {
$formatted_sql = PMA_formatSql(PMA_SQP_parse($the_query), $the_query);
}
@@ -622,22 +622,23 @@ function PMA_convert_using($string, $mode='unquoted',
$force_utf8 = false)
function PMA_sendHeaderLocation($uri)
{
if (PMA_IS_IIS && strlen($uri) > 600) {
+ require_once './libraries/js_escape.lib.php';
echo '<html><head><title>- - -</title>' .
"\n";
echo '<meta http-equiv="expires" content="0">'
. "\n";
echo '<meta http-equiv="Pragma"
content="no-cache">' . "\n";
echo '<meta http-equiv="Cache-Control"
content="no-cache">' . "\n";
- echo '<meta http-equiv="Refresh" content="0;url=' .$uri
. '">' . "\n";
+ echo '<meta http-equiv="Refresh" content="0;url=' .
htmlspecialchars($uri) . '">' . "\n";
echo '<script type="text/javascript">' . "\n";
echo '//<![CDATA[' . "\n";
- echo 'setTimeout("window.location = unescape(\'"' . $uri .
'"\')", 2000);' . "\n";
+ echo 'setTimeout("window.location = unescape(\'"' .
PMA_escapeJsString($uri) . '"\')", 2000);' . "\n";
echo '//]]>' . "\n";
echo '</script>' . "\n";
echo '</head>' . "\n";
echo '<body>' . "\n";
echo '<script type="text/javascript">' . "\n";
echo '//<![CDATA[' . "\n";
- echo 'document.write(\'<p><a href="' . $uri .
'">' . $GLOBALS['strGo'] . '</a></p>\');'
. "\n";
+ echo 'document.write(\'<p><a href="' .
htmlspecialchars($uri) . '">' . $GLOBALS['strGo'] .
'</a></p>\');' . "\n";
echo '//]]>' . "\n";
echo '</script></body></html>' . "\n";
diff --git a/libraries/database_interface.lib.php b/libraries/database_interface.lib.php
index 9a40c55..b7d122c 100644
--- a/libraries/database_interface.lib.php
+++ b/libraries/database_interface.lib.php
@@ -208,6 +208,10 @@ function PMA_usort_comparison_callback($a, $b)
} else {
$sorter = 'strcasecmp';
}
+ /* No sorting when key is not present */
+ if (!isset($a[$GLOBALS['callback_sort_by']]) || !
isset($b[$GLOBALS['callback_sort_by']])) {
+ return 0;
+ }
// produces f.e.:
// return -1 * strnatcasecmp($a["SCHEMA_TABLES"],
$b["SCHEMA_TABLES"])
return ($GLOBALS['callback_sort_order'] == 'ASC' ? 1 : -1) *
$sorter($a[$GLOBALS['callback_sort_by']],
$b[$GLOBALS['callback_sort_by']]);
diff --git a/libraries/dbi/mysql.dbi.lib.php b/libraries/dbi/mysql.dbi.lib.php
index 3ae84b8..b0275b1 100644
--- a/libraries/dbi/mysql.dbi.lib.php
+++ b/libraries/dbi/mysql.dbi.lib.php
@@ -300,6 +300,8 @@ function PMA_DBI_getError($link = null)
$error_message = PMA_DBI_convert_message($error_message);
}
+ $error_message = htmlspecialchars($error_message);
+
// Some errors messages cannot be obtained by mysql_error()
if ($error_number == 2002) {
$error = '#' . ((string) $error_number) . ' - ' .
$GLOBALS['strServerNotResponding'] . ' ' .
$GLOBALS['strSocketProblem'];
diff --git a/libraries/dbi/mysqli.dbi.lib.php b/libraries/dbi/mysqli.dbi.lib.php
index 705477e..13b3eaf 100644
--- a/libraries/dbi/mysqli.dbi.lib.php
+++ b/libraries/dbi/mysqli.dbi.lib.php
@@ -417,6 +417,8 @@ function PMA_DBI_getError($link = null)
$error_message = PMA_DBI_convert_message($error_message);
}
+ $error_message = htmlspecialchars($error_message);
+
if ($error_number == 2002) {
$error = '#' . ((string) $error_number) . ' - ' .
$GLOBALS['strServerNotResponding'] . ' ' .
$GLOBALS['strSocketProblem'];
} elseif (defined('PMA_MYSQL_INT_VERSION') && PMA_MYSQL_INT_VERSION
>= 40100) {
diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
index 388ca13..3ba7224 100644
--- a/libraries/sanitizing.lib.php
+++ b/libraries/sanitizing.lib.php
@@ -7,17 +7,26 @@
/**
* Sanitizes $message, taking into account our special codes
- * for formatting
+ * for formatting.
+ *
+ * If you want to include result in element attribute, you should escape it.
+ *
+ * Examples:
+ *
+ * <p><?php echo PMA_sanitize($foo); ?></p>
+ *
+ * <a title="<?php echo PMA_sanitize($foo, true);
?>">bar</a>
*
* @uses preg_replace()
* @uses strtr()
* @param string the message
+ * @param boolean whether to escape html in result
*
* @return string the sanitized message
*
* @access public
*/
-function PMA_sanitize($message)
+function PMA_sanitize($message, $escape = false)
{
$replace_pairs = array(
'<' => '<',
@@ -65,6 +74,10 @@ function PMA_sanitize($message)
$message = preg_replace($pattern, '<a href="\1"
target="\2">', $message);
}
+ if ($escape) {
+ $message = htmlspecialchars($message);
+ }
+
return $message;
}
?>
diff --git a/libraries/sqlparser.lib.php b/libraries/sqlparser.lib.php
index 488cde2..753f94c 100644
--- a/libraries/sqlparser.lib.php
+++ b/libraries/sqlparser.lib.php
@@ -2425,7 +2425,7 @@ if (! defined('PMA_MINIMUM_COMMON')) {
}
$after .= "\n";
*/
- $str .= $before . ($mode=='color' ?
PMA_SQP_formatHTML_colorize($arr[$i]) : $arr[$i]['data']). $after;
+ $str .= $before . ($mode=='color' ?
PMA_SQP_formatHTML_colorize($arr[$i]) : htmlspecialchars($arr[$i]['data'])).
$after;
} // end for
if ($mode=='color') {
$str .= '</span>';
diff --git a/scripts/setup.php b/scripts/setup.php
index 2f3d09d..49dd67b 100644
--- a/scripts/setup.php
+++ b/scripts/setup.php
@@ -518,6 +518,7 @@ function get_cfg_val($name, $val) {
}
}
if ($type == 'string') {
+ $k = preg_replace('/[^A-Za-z0-9_]/', '_', $k);
$ret .= get_cfg_val($name . "['$k']", $v);
} elseif ($type == 'int') {
$ret .= ' ' . PMA_var_export($v) . ',' . $crlf;
diff --git a/server_databases.php b/server_databases.php
index b9b8898..2b3e0a5 100644
--- a/server_databases.php
+++ b/server_databases.php
@@ -287,11 +287,11 @@ if ($databases_count > 0) {
unset($column_order, $stat_name, $stat, $databases, $table_columns);
if ($is_superuser || $cfg['AllowUserDropDatabase']) {
- $common_url_query = PMA_generate_common_url() . '&sort_by=' .
$sort_by . '&sort_order=' . $sort_order . '&dbstats=' .
$dbstats;
+ $common_url_query = PMA_generate_common_url(array('sort_by' =>
$sort_by, 'sort_order' => $sort_order, 'dbstats' => $dbstats));
echo '<img class="selectallarrow" src="' .
$pmaThemeImage . 'arrow_' . $text_dir . '.png" width="38"
height="22" alt="' . $strWithChecked . '" />' .
"\n"
- . '<a href="./server_databases.php?' . $common_url_query .
'&checkall=1" onclick="if (markAllRows(\'tabledatabases\'))
return false;">' . "\n"
+ . '<a href="./server_databases.php' . $common_url_query .
'&checkall=1" onclick="if (markAllRows(\'tabledatabases\'))
return false;">' . "\n"
. ' ' . $strCheckAll . '</a> / ' . "\n"
- . '<a href="./server_databases.php?' . $common_url_query .
'" onclick="if (unMarkAllRows(\'tabledatabases\')) return
false;">' . "\n"
+ . '<a href="./server_databases.php' . $common_url_query .
'" onclick="if (unMarkAllRows(\'tabledatabases\')) return
false;">' . "\n"
. ' ' . $strUncheckAll . '</a>' . "\n"
. '<i>' . $strWithChecked . '</i>' .
"\n";
PMA_buttonOrImage('drop_selected_dbs', 'mult_submit',
'drop_selected_dbs', $strDrop, 'b_deltbl.png');
diff --git a/server_privileges.php b/server_privileges.php
index 23d174b..a030c56 100644
--- a/server_privileges.php
+++ b/server_privileges.php
@@ -602,7 +602,7 @@ function PMA_displayLoginInformationFields($mode = 'new',
$indent = 0) {
. $spaces . ' <option value="userdefined"' .
((!isset($GLOBALS['pred_username']) || $GLOBALS['pred_username'] ==
'userdefined') ? ' selected="selected"' : '') .
'>' . $GLOBALS['strUseTextField'] . ':</option>' .
"\n"
. $spaces . ' </select>' . "\n"
. $spaces . '</span>' . "\n"
- . $spaces . '<input type="text" name="username"
maxlength="' . $username_length . '" title="' .
$GLOBALS['strUserName'] . '"' . (empty($GLOBALS['username'])
? '' : ' value="' . (isset($GLOBALS['new_username']) ?
$GLOBALS['new_username'] : $GLOBALS['username']) . '"') .
' onchange="pred_username.value = \'userdefined\';" />' .
"\n"
+ . $spaces . '<input type="text" name="username"
maxlength="' . $username_length . '" title="' .
$GLOBALS['strUserName'] . '"' . (empty($GLOBALS['username'])
? '' : ' value="' .
htmlspecialchars(isset($GLOBALS['new_username']) ?
$GLOBALS['new_username'] : $GLOBALS['username']) . '"') .
' onchange="pred_username.value = \'userdefined\';" />' .
"\n"
. $spaces . '</div>' . "\n"
. $spaces . '<div class="item">' . "\n"
. $spaces . '<label for="select_pred_hostname">' .
"\n"
@@ -650,7 +650,7 @@ function PMA_displayLoginInformationFields($mode = 'new',
$indent = 0) {
. $spaces . ' <option value="userdefined"' .
((isset($GLOBALS['pred_hostname']) && $GLOBALS['pred_hostname'] ==
'userdefined') ? ' selected="selected"' : '') .
'>' . $GLOBALS['strUseTextField'] . ':</option>' .
"\n"
. $spaces . ' </select>' . "\n"
. $spaces . '</span>' . "\n"
- . $spaces . '<input type="text" name="hostname"
maxlength="' . $hostname_length . '" value="' .
(isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] : '') .
'" title="' . $GLOBALS['strHost'] . '"
onchange="pred_hostname.value = \'userdefined\';" />' .
"\n"
+ . $spaces . '<input type="text" name="hostname"
maxlength="' . $hostname_length . '" value="' .
htmlspecialchars(isset($GLOBALS['hostname']) ? $GLOBALS['hostname'] :
'') . '" title="' . $GLOBALS['strHost'] . '"
onchange="pred_hostname.value = \'userdefined\';" />' .
"\n"
. $spaces . '</div>' . "\n"
. $spaces . '<div class="item">' . "\n"
. $spaces . '<label for="select_pred_password">' .
"\n"
@@ -757,14 +757,14 @@ if (!empty($adduser_submit) || !empty($change_copy)) {
if (PMA_DBI_num_rows($res) == 1) {
PMA_DBI_free_result($res);
- $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\''
. $username . '\'@\'' . $hostname . '\'[/i]');
+ $message = sprintf($GLOBALS['strUserAlreadyExists'], '[i]\''
. htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) .
'\'[/i]');
$adduser = 1;
} else {
PMA_DBI_free_result($res);
if (50002 <= PMA_MYSQL_INT_VERSION) {
// MySQL 5 requires CREATE USER before any GRANT on this user can done
- $create_user_real = 'CREATE USER \'' .
PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\'';
+ $create_user_real = 'CREATE USER \'' .
PMA_sqlAddslashes($username) . '\'@\'' . htmlspecialchars($hostname) .
'\'';
}
$real_sql_query =
@@ -1048,7 +1048,7 @@ if (!empty($update_privs)) {
$sql_query = (isset($sql_query0) ? $sql_query0 . ' ' : '')
. (isset($sql_query1) ? $sql_query1 . ' ' : '')
. $sql_query2;
- $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' .
$username . '\'@\'' . $hostname . '\'');
+ $message = sprintf($GLOBALS['strUpdatePrivMessage'], '\'' .
htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) .
'\'');
}
@@ -1080,7 +1080,7 @@ if (!empty($revokeall)) {
unset($sql_query1);
}
$sql_query = $sql_query0 . (isset($sql_query1) ? ' ' . $sql_query1 :
'');
- $message = sprintf($GLOBALS['strRevokeMessage'], '\'' . $username
. '\'@\'' . $hostname . '\'');
+ $message = sprintf($GLOBALS['strRevokeMessage'], '\'' .
htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) .
'\'');
if (! isset($tablename) || ! strlen($tablename)) {
unset($dbname);
} else {
@@ -1115,7 +1115,7 @@ if (!empty($change_pw)) {
$sql_query = 'SET PASSWORD FOR \'' .
PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' .
(($pma_pw == '') ? '\'\'' : $hashing_function . '(\''
. preg_replace('@.@s', '*', $pma_pw) . '\')');
$local_query = 'SET PASSWORD FOR \'' .
PMA_sqlAddslashes($username) . '\'@\'' . $hostname . '\' = ' .
(($pma_pw == '') ? '\'\'' : $hashing_function . '(\''
. PMA_sqlAddslashes($pma_pw) . '\')');
PMA_DBI_try_query($local_query) or PMA_mysqlDie(PMA_DBI_getError(), $sql_query,
FALSE, $err_url);
- $message = sprintf($GLOBALS['strPasswordChanged'], '\'' .
$username . '\'@\'' . $hostname . '\'');
+ $message = sprintf($GLOBALS['strPasswordChanged'], '\'' .
htmlspecialchars($username) . '\'@\'' . htmlspecialchars($hostname) .
'\'');
}
}
@@ -1588,17 +1588,17 @@ if (empty($adduser) && (! isset($checkprivs) || !
strlen($checkprivs))) {
echo '<h2>' . "\n"
. ($GLOBALS['cfg']['PropertiesIconic'] ? '<img
class="icon" src="' . $pmaThemeImage . 'b_usredit.png"
width="16" height="16" alt="" />' : '')
- . $GLOBALS['strUser'] . ' <i><a
href="server_privileges.php?' . $GLOBALS['url_query'] .
'&username=' . urlencode($username) . '&hostname=' .
urlencode($hostname) . '">\'' . htmlspecialchars($username) .
'\'@\'' . htmlspecialchars($hostname) .
'\'</a></i>' . "\n";
+ . $GLOBALS['strUser'] . ' <i><a
href="server_privileges.php?' . $GLOBALS['url_query'] .
'&username=' . htmlspecialchars(urlencode($username)) .
'&hostname=' . htmlspecialchars(urlencode($hostname)) .
'">\'' . htmlspecialchars($username) . '\'@\'' .
htmlspecialchars($hostname) . '\'</a></i>' . "\n";
if (isset($dbname) && strlen($dbname)) {
if ($dbname_is_wildcard) {
echo ' - ' . $GLOBALS['strDatabases'];
} else {
echo ' - ' . $GLOBALS['strDatabase'];
}
- $url_dbname = urlencode(str_replace('\_', '_', $dbname));
+ $url_dbname = htmlspecialchars(urlencode(str_replace('\_',
'_', $dbname)));
echo ' <i><a href="' .
$GLOBALS['cfg']['DefaultTabDatabase'] . '?' .
$GLOBALS['url_query'] . '&db=' . $url_dbname .
'&reload=1">' . htmlspecialchars($dbname) .
'</a></i>' . "\n";
if (isset($tablename) && strlen($tablename)) {
- echo ' - ' . $GLOBALS['strTable'] . '
<i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] .
'?' . $GLOBALS['url_query'] . '&db=' . $url_dbname .
'&table=' . urlencode($tablename) . '&reload=1">'
. htmlspecialchars($tablename) . '</a></i>' . "\n";
+ echo ' - ' . $GLOBALS['strTable'] . '
<i><a href="' . $GLOBALS['cfg']['DefaultTabTable'] .
'?' . $GLOBALS['url_query'] . '&db=' . $url_dbname .
'&table=' . htmlspecialchars(urlencode($tablename)) .
'&reload=1">' . htmlspecialchars($tablename) .
'</a></i>' . "\n";
}
unset($url_dbname);
}
@@ -1839,16 +1839,16 @@ if (empty($adduser) && (! isset($checkprivs) || !
strlen($checkprivs))) {
}
echo '</td>' . "\n"
. ' <td>';
- printf($link_edit, urlencode($username),
- urlencode($hostname),
- urlencode((! isset($dbname) || ! strlen($dbname)) ?
$row['Db'] : $dbname),
+ printf($link_edit, htmlspecialchars(urlencode($username)),
+ htmlspecialchars(urlencode($hostname)),
+ htmlspecialchars(urlencode((! isset($dbname) || !
strlen($dbname)) ? $row['Db'] : $dbname)),
urlencode((! isset($dbname) || ! strlen($dbname)) ? '' :
$row['Table_name']));
echo '</td>' . "\n"
. ' <td>';
if (! empty($row['can_delete']) ||
isset($row['Table_name']) && strlen($row['Table_name'])) {
- printf($link_revoke, urlencode($username),
- urlencode($hostname),
- urlencode((! isset($dbname) || ! strlen($dbname)) ?
$row['Db'] : $dbname),
+ printf($link_revoke, htmlspecialchars(urlencode($username)),
+ htmlspecialchars(urlencode($hostname)),
+ htmlspecialchars(urlencode((! isset($dbname) || !
strlen($dbname)) ? $row['Db'] : $dbname)),
urlencode((! isset($dbname) || ! strlen($dbname)) ?
'' : $row['Table_name']));
}
echo '</td>' . "\n"
diff --git a/sql.php b/sql.php
index 35bdab5..2a744c5 100644
--- a/sql.php
+++ b/sql.php
@@ -175,14 +175,14 @@ if ($do_confirm) {
.PMA_generate_common_hidden_inputs($db, $table);
?>
<input type="hidden" name="sql_query" value="<?php
echo htmlspecialchars($sql_query); ?>" />
- <input type="hidden" name="zero_rows" value="<?php
echo isset($zero_rows) ? PMA_sanitize($zero_rows) : ''; ?>" />
+ <input type="hidden" name="zero_rows" value="<?php
echo isset($zero_rows) ? PMA_sanitize($zero_rows, true) : ''; ?>" />
<input type="hidden" name="goto" value="<?php echo
$goto; ?>" />
- <input type="hidden" name="back" value="<?php echo
isset($back) ? PMA_sanitize($back) : ''; ?>" />
- <input type="hidden" name="reload" value="<?php echo
isset($reload) ? PMA_sanitize($reload) : 0; ?>" />
- <input type="hidden" name="purge" value="<?php echo
isset($purge) ? PMA_sanitize($purge) : ''; ?>" />
- <input type="hidden" name="cpurge" value="<?php echo
isset($cpurge) ? PMA_sanitize($cpurge) : ''; ?>" />
- <input type="hidden" name="purgekey" value="<?php echo
isset($purgekey) ? PMA_sanitize($purgekey) : ''; ?>" />
- <input type="hidden" name="show_query" value="<?php
echo isset($show_query) ? PMA_sanitize($show_query) : ''; ?>" />
+ <input type="hidden" name="back" value="<?php echo
isset($back) ? PMA_sanitize($back, true) : ''; ?>" />
+ <input type="hidden" name="reload" value="<?php echo
isset($reload) ? PMA_sanitize($reload, true) : 0; ?>" />
+ <input type="hidden" name="purge" value="<?php echo
isset($purge) ? PMA_sanitize($purge, true) : ''; ?>" />
+ <input type="hidden" name="cpurge" value="<?php echo
isset($cpurge) ? PMA_sanitize($cpurge, true) : ''; ?>" />
+ <input type="hidden" name="purgekey" value="<?php echo
isset($purgekey) ? PMA_sanitize($purgekey, true) : ''; ?>" />
+ <input type="hidden" name="show_query" value="<?php
echo isset($show_query) ? PMA_sanitize($show_query, true) : ''; ?>" />
<?php
echo '<fieldset class="confirmation">' . "\n"
.' <legend>' . $strDoYouReally . '</legend>'
diff --git a/tbl_sql.php b/tbl_sql.php
index f27a3b9..f9c71d8 100644
--- a/tbl_sql.php
+++ b/tbl_sql.php
@@ -37,7 +37,7 @@ require_once './libraries/tbl_links.inc.php';
/**
* Query box, bookmark, insert data from textfile
*/
-PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ?
$_REQUEST['delimiter'] : ';');
+PMA_sqlQueryForm(true, false, isset($_REQUEST['delimiter']) ?
htmlspecialchars($_REQUEST['delimiter']) : ';');
/**
* Displays the footer
hooks/post-receive
--
phpMyAdmin