mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Escape username and password in setup 

This should not be a big issue since only privileged users should be
able to reach the setup, but it's good to have nevertheless.

Using prepared statements seemed unfortunately not possibly, so I had to
choose `mysqli_real_escape_string`.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2021-03-03 13:21:18 +00:00 committed by GitHub
parent 41dc18342f
commit 5ba2c8fac5
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/private/Setup/MySQL.php
View File

@ -111,8 +111,8 @@ class MySQL extends AbstractDatabase {
*/
private function createDBUser($connection) {
try {
$name = $this->dbUser;
$password = $this->dbPassword;
$name = mysqli_real_escape_string($this->dbUser);
$password = mysqli_real_escape_string($this->dbPassword);
// we need to create 2 accounts, one for global use and one for local user. if we don't specify the local one,
// the anonymous user would take precedence when there is one.