diff options
| author | Bharat Mediratta <bharat@menalto.com> | 2012-05-15 10:54:18 -0700 |
|---|---|---|
| committer | Bharat Mediratta <bharat@menalto.com> | 2012-05-15 10:54:51 -0700 |
| commit | 3caf3cc323cd25b002aa8e44d871d4677da7a029 (patch) | |
| tree | 88eb60518213c537b64a10d0f27061ae5772a07c /installer/web.php | |
| parent | 05b50f2edfdc24d23e5e072ee3831ca12c003543 (diff) | |
Harden installer against bad characters in the database name or prefix. Fixes #1866.
Diffstat (limited to 'installer/web.php')
| -rw-r--r-- | installer/web.php | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/installer/web.php b/installer/web.php index 6102f0e0..12f42d02 100644 --- a/installer/web.php +++ b/installer/web.php @@ -39,6 +39,13 @@ if (installer::already_installed()) { "prefix" => $_POST["prefix"], "type" => function_exists("mysqli_set_charset") ? "mysqli" : "mysql"); list ($config["host"], $config["port"]) = explode(":", $config["host"] . ":"); + foreach ($config as $k => $v) { + if ($k == "password") { + $config[$k] = str_replace("'", "\\'", $v); + } else { + $config[$k] = strtr($v, "'`", "__"); + } + } if (!installer::connect($config)) { $content = render("invalid_db_info.html.php"); |