Escape unknown field in select

2025-08-09 16:17:48 +02:00 · 2025-02-18 10:29:28 +01:00
parent 7541149522
commit 274fa2259b
2 changed files with 2 additions and 1 deletions
--- a/adminer/select.inc.php
+++ b/adminer/select.inc.php
@@ -326,7 +326,7 @@ if (!$columns && support("table")) {
 				if (!isset($unselected[$key])) {
 					$val = $_GET["columns"][key($select)];
 					$field = $fields[$select ? ($val ? $val["col"] : current($select)) : $key];
-					$name = ($field ? $adminer->fieldName($field, $rank) : ($val["fun"] ? "*" : $key));
+					$name = ($field ? $adminer->fieldName($field, $rank) : ($val["fun"] ? "*" : h($key)));
 					if ($name != "") {
 						$rank++;
 						$names[$key] = $name;
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.15.0-dev:
+Escape unknown field in select
 HTTP drivers: Don't allow path in server name
 HTTP drivers: Hide connection error message
 SimpleDB: Disable XML entity loader