Thanks to Patrick‘s mail I finally fixed a SQL injection security bug in our mirror status page. I was actually able to create and drop tables, but it seems nobody looks much at that page because it is at least online for two years and it has never been compromised (as far as we know). The php code was actually fixed with Gunnar‘s help.