[ticket/15311] Escape file_name in sql query

PHPBB3-15311
2025-05-16 04:19:41 +02:00 · 2018-05-08 14:13:10 +02:00 · 2018-05-08 14:13:10 +02:00 · 01f88fd269
commit 01f88fd269
parent 4ebded01b9
1 changed files with 1 additions and 1 deletions
--- a/phpBB/includes/acp/acp_database.php
+++ b/phpBB/includes/acp/acp_database.php
@ -289,7 +289,7 @@ class acp_database
 									// Remove from database
 									$sql = "DELETE FROM " . $table_prefix . "backups
-										WHERE filename = '" . $file_name . "';";
+										WHERE filename = '" . $db->sql_escape($file_name) . "';";
 									$db->sql_query($sql);
 								}
 								catch (\Exception $e)