GHSA-gc9w-cc93-rjv8: Froxlor has a PHP Code Injection via Unescaped Single Quotes in userdata.inc.php Generation (MysqlServer API)

PhpHelper::parseArrayToString() writes string values into single-quoted PHP string literals without escaping single quotes. When an admin with change_serversettings permission adds or updates a MySQL server via the API, the privileged_user parameter (which has no input validation) is written unescaped into lib/userdata.inc.php. Since this file is required on every request via Database::getDB(), an attacker can inject arbitrary PHP code that executes as the web server user on every subsequent page load.