diff --git a/adminer/select.inc.php b/adminer/select.inc.php
index 629f6a64..bda6b1f2 100644
--- a/adminer/select.inc.php
+++ b/adminer/select.inc.php
@@ -326,7 +326,7 @@ if (!$columns && support("table")) {
 				if (!isset($unselected[$key])) {
 					$val = $_GET["columns"][key($select)];
 					$field = $fields[$select ? ($val ? $val["col"] : current($select)) : $key];
-					$name = ($field ? $adminer->fieldName($field, $rank) : ($val["fun"] ? "*" : $key));
+					$name = ($field ? $adminer->fieldName($field, $rank) : ($val["fun"] ? "*" : h($key)));
 					if ($name != "") {
 						$rank++;
 						$names[$key] = $name;
diff --git a/changes.txt b/changes.txt
index 59fce18a..850c96fa 100644
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.15.0-dev:
+Escape unknown field in select
 HTTP drivers: Don't allow path in server name
 HTTP drivers: Hide connection error message
 SimpleDB: Disable XML entity loader