Escape username and password in setup
This should not be a big issue since only privileged users should be able to reach the setup, but it's good to have nevertheless. Using prepared statements seemed unfortunately not possibly, so I had to choose `mysqli_real_escape_string`. Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
This commit is contained in:
parent
41dc18342f
commit
5ba2c8fac5
|
@ -111,8 +111,8 @@ class MySQL extends AbstractDatabase {
|
||||||
*/
|
*/
|
||||||
private function createDBUser($connection) {
|
private function createDBUser($connection) {
|
||||||
try {
|
try {
|
||||||
$name = $this->dbUser;
|
$name = mysqli_real_escape_string($this->dbUser);
|
||||||
$password = $this->dbPassword;
|
$password = mysqli_real_escape_string($this->dbPassword);
|
||||||
// we need to create 2 accounts, one for global use and one for local user. if we don't specify the local one,
|
// we need to create 2 accounts, one for global use and one for local user. if we don't specify the local one,
|
||||||
// the anonymous user would take precedence when there is one.
|
// the anonymous user would take precedence when there is one.
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue