Compare commits

...

1 Commits

Author SHA1 Message Date
Lukas Reschke 5ba2c8fac5 Escape username and password in setup
This should not be a big issue since only privileged users should be
able to reach the setup, but it's good to have nevertheless.

Using prepared statements seemed unfortunately not possibly, so I had to
choose `mysqli_real_escape_string`.

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
2021-03-03 13:21:18 +00:00
1 changed files with 2 additions and 2 deletions

View File

@ -111,8 +111,8 @@ class MySQL extends AbstractDatabase {
*/
private function createDBUser($connection) {
try {
$name = $this->dbUser;
$password = $this->dbPassword;
$name = mysqli_real_escape_string($this->dbUser);
$password = mysqli_real_escape_string($this->dbPassword);
// we need to create 2 accounts, one for global use and one for local user. if we don't specify the local one,
// the anonymous user would take precedence when there is one.