Escape username and password in setup

This should not be a big issue since only privileged users should be
able to reach the setup, but it's good to have nevertheless.

Using prepared statements seemed unfortunately not possibly, so I had to
choose `mysqli_real_escape_string`.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
Lukas Reschke 2021-03-03 13:21:18 +00:00 committed by GitHub
parent 41dc18342f
commit 5ba2c8fac5
1 changed files with 2 additions and 2 deletions

View File

@ -111,8 +111,8 @@ class MySQL extends AbstractDatabase {
*/ */
private function createDBUser($connection) { private function createDBUser($connection) {
try { try {
$name = $this->dbUser; $name = mysqli_real_escape_string($this->dbUser);
$password = $this->dbPassword; $password = mysqli_real_escape_string($this->dbPassword);
// we need to create 2 accounts, one for global use and one for local user. if we don't specify the local one, // we need to create 2 accounts, one for global use and one for local user. if we don't specify the local one,
// the anonymous user would take precedence when there is one. // the anonymous user would take precedence when there is one.