Escape pg connection string on setup

author Brice Maron <brice@bmaron.net>

Tue, 3 Jul 2012 07:20:42 +0000 (09:20 +0200)

committer Brice Maron <brice@bmaron.net>

Tue, 3 Jul 2012 07:20:42 +0000 (09:20 +0200)
author Brice Maron <brice@bmaron.net>
Tue, 3 Jul 2012 07:20:42 +0000 (09:20 +0200)
committer Brice Maron <brice@bmaron.net>
Tue, 3 Jul 2012 07:20:42 +0000 (09:20 +0200)
diff --git a/lib/setup.php b/lib/setup.php

index 5387a0ef493e8ea0003c53e7623a1b2cb9e7261c..bad0f5301c79dad11e7ddcf71ff0eb4a8fc344e1 100644 (file)
--- a/lib/setup.php
+++ b/lib/setup.php
@@ -155,8 +155,11 @@ class OC_Setup {
                                 OC_CONFIG::setValue('dbhost', $dbhost);
                                 OC_CONFIG::setValue('dbtableprefix', $dbtableprefix);
  
+                               $e_host = addslashes($dbhost);
+                               $e_user = addslashes($dbuser);
+                               $e_password = addslashes($dbpass);
                                 //check if the database user has admin right
-                               $connection_string = "host=$dbhost dbname=postgres user=$dbuser password=$dbpass";
+                               $connection_string = "host='$e_host' dbname=postgres user='$e_user' password='$e_password'";
                                 $connection = @pg_connect($connection_string);
                                 if(!$connection) {
                                         $error[] = array(
@@ -166,8 +169,9 @@ class OC_Setup {
                                         return $error;
                                 }
                                 else {
+                                       $e_user = pg_escape_string($dbuser);
                                         //check for roles creation rights in postgresql
-                                       $query="SELECT 1 FROM pg_roles WHERE rolcreaterole=TRUE AND rolname='$dbuser'";
+                                       $query="SELECT 1 FROM pg_roles WHERE rolcreaterole=TRUE AND rolname='$e_user'";
                                         $result = pg_query($connection, $query);
                                         if($result and pg_num_rows($result) > 0) {
                                                 //use the admin login data for the new database user
@@ -199,7 +203,13 @@ class OC_Setup {
                                         // connect to the ownCloud database (dbname=$dbname) an check if it needs to be filled
                                         $dbuser = OC_CONFIG::getValue('dbuser');
                                         $dbpass = OC_CONFIG::getValue('dbpassword');
-                                       $connection_string = "host=$dbhost dbname=$dbname user=$dbuser password=$dbpass";
+
+                                       $e_host = addslashes($dbhost);
+                                       $e_dbname = addslashes($dbname);
+                                       $e_user = addslashes($dbuser);
+                                       $e_password = addslashes($dbpass);
+
+                                       $connection_string = "host='$e_host' dbname='$e_dbname' user='$e_user' password='$e_password'";
                                         $connection = @pg_connect($connection_string);
                                         if(!$connection) {
                                                 $error[] = array(
author	Brice Maron <brice@bmaron.net>
	Tue, 3 Jul 2012 07:20:42 +0000 (09:20 +0200)
committer	Brice Maron <brice@bmaron.net>
	Tue, 3 Jul 2012 07:20:42 +0000 (09:20 +0200)