From 1511e8cf72acfa9342c401099a77c94bedeb7edf Mon Sep 17 00:00:00 2001
From: =?utf8?q?Michal=20=C4=8Ciha=C5=99?= <michal@cihar.com>
Date: Tue, 9 Dec 2008 13:45:32 +0000
Subject: [PATCH] [security] possible XSRF on several pages

---
 ChangeLog                         | 1 +
 libraries/db_table_exists.lib.php | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 8387e4d211..d0bee0819d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -26,6 +26,7 @@ $HeadURL: https://phpmyadmin.svn.sourceforge.net/svnroot/phpmyadmin/trunk/phpMyA
 + [lang] Catalan update, thanks to Xavier Navarro
 + [lang] Finnish update, thanks to Jouni Kahkonen
 - [core] Avoid error with BLOBstreaming support requiring SUPER privilege 
+- [security] possible XSRF on several pages
 
 3.1.0.0 (2008-11-28)
 + [auth] Support for Swekey hardware authentication,
diff --git a/libraries/db_table_exists.lib.php b/libraries/db_table_exists.lib.php
index 66c30e9ed3..fc078a42a3 100644
--- a/libraries/db_table_exists.lib.php
+++ b/libraries/db_table_exists.lib.php
@@ -71,7 +71,7 @@ if (empty($is_table) && !defined('PMA_SUBMIT_MULT')) {
                  * @todo should this check really only happen if IS_TRANSFORMATION_WRAPPER?
                  */
                 $_result = PMA_DBI_try_query(
-                    'SELECT COUNT(*) FROM `' . PMA_sqlAddslashes($table, true) . '`;',
+                    'SELECT COUNT(*) FROM ' . PMA_backquote($table) . ';',
                     null, PMA_DBI_QUERY_STORE);
                 $is_table = ($_result && @PMA_DBI_num_rows($_result));
                 PMA_DBI_free_result($_result);
-- 
2.11.4.GIT