diff --git a/ChangeLog b/ChangeLog
index 87eca13ebe4638d7e58f988ce1f02cfab4adb32a..8fe1e968571a3056a16b5b8f3c14dfea97337df4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -51,6 +51,7 @@ For users:
- Fix: Running sending-email.php
- Fix: Warning should not appears for invoice closed
- Fix: Import for companies works even with prefix empty.
+- Fix: bug #28895 : Création d'utilisateur impossible.
For developers:
- Qual: Reorganize /dev directory.
diff --git a/htdocs/lib/databases/mysql.lib.php b/htdocs/lib/databases/mysql.lib.php
index c80d5f173610fe35d9408c34e39e8252c381e4b2..01e738f1d10b86dc318476df83e908978cb6886f 100644
--- a/htdocs/lib/databases/mysql.lib.php
+++ b/htdocs/lib/databases/mysql.lib.php
@@ -999,7 +999,7 @@ class DoliDb
{
$sql = "INSERT INTO user ";
$sql.= "(Host,User,password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Index_Priv,Alter_priv,Lock_tables_priv)";
- $sql.= " VALUES ('$dolibarr_main_db_host','$dolibarr_main_db_user',password('$dolibarr_main_db_pass')";
+ $sql.= " VALUES ('".addslashes($dolibarr_main_db_host)."','".addslashes($dolibarr_main_db_user)."',password('".addslashes($dolibarr_main_db_pass)."')";
$sql.= ",'Y','Y','Y','Y','Y','Y','Y','Y','Y')";
dol_syslog("mysql.lib::DDLCreateUser", LOG_DEBUG); // No sql to avoid password in log
@@ -1012,7 +1012,7 @@ class DoliDb
$sql = "INSERT INTO db ";
$sql.= "(Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Index_Priv,Alter_priv,Lock_tables_priv)";
- $sql.= " VALUES ('$dolibarr_main_db_host','$dolibarr_main_db_name','$dolibarr_main_db_user'";
+ $sql.= " VALUES ('".addslashes($dolibarr_main_db_host)."','".addslashes($dolibarr_main_db_name)."','".addslashes($dolibarr_main_db_user)."'";
$sql.= ",'Y','Y','Y','Y','Y','Y','Y','Y','Y')";
dol_syslog("mysql.lib::DDLCreateUser sql=".$sql,LOG_DEBUG);
diff --git a/htdocs/lib/databases/mysqli.lib.php b/htdocs/lib/databases/mysqli.lib.php
index 773d5d8849822d0af67f96b0641f1703f9a704f8..58f28fc6dc48d9b61ca729b3e7bc4c6ab6ce4ca6 100644
--- a/htdocs/lib/databases/mysqli.lib.php
+++ b/htdocs/lib/databases/mysqli.lib.php
@@ -1011,7 +1011,7 @@ class DoliDb
{
$sql = "INSERT INTO user ";
$sql.= "(Host,User,password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Index_Priv,Alter_priv,Lock_tables_priv)";
- $sql.= " VALUES ('$dolibarr_main_db_host','$dolibarr_main_db_user',password('$dolibarr_main_db_pass')";
+ $sql.= " VALUES ('".addslashes($dolibarr_main_db_host)."','".addslashes($dolibarr_main_db_user)."',password('".addslashes($dolibarr_main_db_pass)."')";
$sql.= ",'Y','Y','Y','Y','Y','Y','Y','Y','Y')";
dol_syslog("mysqli.lib::DDLCreateUser", LOG_DEBUG); // No sql to avoid password in log
@@ -1024,7 +1024,7 @@ class DoliDb
$sql = "INSERT INTO db ";
$sql.= "(Host,Db,User,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Index_Priv,Alter_priv,Lock_tables_priv)";
- $sql.= " VALUES ('$dolibarr_main_db_host','$dolibarr_main_db_name','$dolibarr_main_db_user'";
+ $sql.= " VALUES ('".addslashes($dolibarr_main_db_host)."','".addslashes($dolibarr_main_db_name)."','".addslashes($dolibarr_main_db_user)."'";
$sql.= ",'Y','Y','Y','Y','Y','Y','Y','Y','Y')";
dol_syslog("mysqli.lib::DDLCreateUser sql=".$sql);
diff --git a/htdocs/lib/databases/pgsql.lib.php b/htdocs/lib/databases/pgsql.lib.php
index 92eeb008d5c9edd60109383328a70158e2c49fac..3f54edfc021e7109fb64136bef7a95c45dbb3570 100644
--- a/htdocs/lib/databases/pgsql.lib.php
+++ b/htdocs/lib/databases/pgsql.lib.php
@@ -915,7 +915,7 @@ class DoliDb
*/
function DDLCreateUser($dolibarr_main_db_host,$dolibarr_main_db_user,$dolibarr_main_db_pass,$dolibarr_main_db_name)
{
- $sql = "create user \"".$dolibarr_main_db_user."\" with password '".$dolibarr_main_db_pass."'";
+ $sql = "create user \"".addslashes($dolibarr_main_db_user)."\" with password '".addslashes($dolibarr_main_db_pass)."'";
dol_syslog("pgsql.lib::DDLCreateUser", LOG_DEBUG); // No sql to avoid password in log
$resql=$this->query($sql);