Escape unknown field in select

diff --git a/adminer/select.inc.php b/adminer/select.inc.php
index 629f6a64faf69cb0d2b3aa290db9fb50714efc8a..bda6b1f294834194df1bfb187e17ccdf480cd55e 100644 (file)
--- a/adminer/select.inc.php
+++ b/adminer/select.inc.php
@@ -326,7 +326,7 @@ if (!$columns && support("table")) {
                                if (!isset($unselected[$key])) {
                                        $val = $_GET["columns"][key($select)];
                                        $field = $fields[$select ? ($val ? $val["col"] : current($select)) : $key];
-                                       $name = ($field ? $adminer->fieldName($field, $rank) : ($val["fun"] ? "*" : $key));
+                                       $name = ($field ? $adminer->fieldName($field, $rank) : ($val["fun"] ? "*" : h($key)));
                                        if ($name != "") {
                                                $rank++;
                                                $names[$key] = $name;

diff --git a/changes.txt b/changes.txt
index 59fce18a1ba1cb2018cf1fd0291d4a73864681f1..850c96fa6dac9b0e266fae6290898916e8d84053 100644 (file)
--- a/changes.txt
+++ b/changes.txt
@@ -1,4 +1,5 @@
 Adminer 4.15.0-dev:
+Escape unknown field in select
 HTTP drivers: Don't allow path in server name
 HTTP drivers: Hide connection error message
 SimpleDB: Disable XML entity loader