From 2c07495d82bd692ea3426a031c2ce5d2e48305c1 Mon Sep 17 00:00:00 2001
From: Geir Hauge <geir.hauge@ntnu.no>
Date: Thu, 29 Nov 2012 14:57:13 +0000
Subject: [PATCH] =?UTF-8?q?Tempor=C3=A6r=20fiks=20for=20sql=20injection.?=
 =?UTF-8?q?=20B=C3=B8r=20gj=C3=B8res=20med=20prepared=20statements?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 mysql-dbadm.c | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/mysql-dbadm.c b/mysql-dbadm.c
index 39ad2dd..755424e 100644
--- a/mysql-dbadm.c
+++ b/mysql-dbadm.c
@@ -573,13 +573,28 @@ main(int argc, char *argv[])
           }
           break;
         case c_drop:
-          drop(&mysql, db);
+          if(dbname_isclean(db)) {
+            drop(&mysql, db);
+          } else {
+            dberror(NULL, "Database name '%s' contains invalid characters.\n"
+                        "Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", db);
+          }
           break;
         case c_editperm:
-          editperm(&mysql, db);
+          if(dbname_isclean(db)) {
+            editperm(&mysql, db);
+          } else {
+            dberror(NULL, "Database name '%s' contains invalid characters.\n"
+                        "Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", db);
+          }
           break;
         case c_show:
-          show(&mysql, db);
+          if(dbname_isclean(db)) {
+            show(&mysql, db);
+          } else {
+            dberror(NULL, "Database name '%s' contains invalid characters.\n"
+                        "Only A-Z, a-z, 0-9, _ (underscore) and - (dash) permitted. Skipping.", db);
+          }
           break;
         default:
           return dberror(NULL, "This point should never be reached!");