diff options
| author | soleuu | 2019-09-27 15:11:36 +0000 |
|---|---|---|
| committer | Robert Treat | 2019-10-12 22:53:14 +0000 |
| commit | cb3fb7346c5208272daab496a9c94c050f947a2c (patch) | |
| tree | 27c977d67b2940b0659e756a3aca8d6b52b65f93 | |
| parent | 473c0646a7a2f8688deddffa26c64fa0b7ffb746 (diff) | |
escape schema/table/view identifier
| -rw-r--r-- | display.php | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/display.php b/display.php index 588b3100..52c8240d 100644 --- a/display.php +++ b/display.php @@ -529,11 +529,11 @@ if (isset($_REQUEST['query'])) { $query = $_REQUEST['query']; } else { - $query = "SELECT * FROM {$_REQUEST['schema']}"; + $query = "SELECT * FROM ".pg_escape_identifier($_REQUEST['schema']); if ($_REQUEST['subject'] == 'view') { - $query = "{$query}.{$_REQUEST['view']};"; + $query = "{$query}.".pg_escape_identifier($_REQUEST['view']).";"; } else { - $query = "{$query}.{$_REQUEST['table']};"; + $query = "{$query}.".pg_escape_identifier($_REQUEST['table']).";"; } } //$query = isset($_REQUEST['query'])? $_REQUEST['query'] : "select * from {$_REQUEST['schema']}.{$_REQUEST['table']};"; |