From 4a89eb77c1732a49075d4f3f6a46ddaad10eef70 Mon Sep 17 00:00:00 2001 From: Brice Maron Date: Fri, 4 May 2012 22:54:55 +0000 Subject: [PATCH] Escape strings for DB and User creation at setup. Fix oc-124 --- lib/setup.php | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/setup.php b/lib/setup.php index 3dca3c50918..24d05592377 100644 --- a/lib/setup.php +++ b/lib/setup.php @@ -271,19 +271,23 @@ class OC_Setup { public static function pg_createDatabase($name,$user,$connection) { //we cant use OC_BD functions here because we need to connect as the administrative user. - $query = "CREATE DATABASE $name OWNER $user"; + $e_name = pg_escape_string($name); + $e_user = pg_escape_string($user); + $query = "CREATE DATABASE \"$e_name\" OWNER \"$e_user\""; $result = pg_query($connection, $query); if(!$result) { $entry='DB Error: "'.pg_last_error($connection).'"
'; $entry.='Offending command was: '.$query.'
'; echo($entry); } - $query = "REVOKE ALL PRIVILEGES ON DATABASE $name FROM PUBLIC"; + $query = "REVOKE ALL PRIVILEGES ON DATABASE \"$e_name\" FROM PUBLIC"; $result = pg_query($connection, $query); } private static function pg_createDBUser($name,$password,$connection) { - $query = "CREATE USER $name CREATEDB PASSWORD '$password';"; + $e_name = pg_escape_string($name); + $e_password = pg_escape_string($password); + $query = "CREATE USER \"$e_name\" CREATEDB PASSWORD '$e_password';"; $result = pg_query($connection, $query); if(!$result) { $entry='DB Error: "'.pg_last_error($connection).'"
'; -- 2.39.5