mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Replace usage of "addslashes" with pg_escape_identifier and pg_escape_literal 

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
This commit is contained in:
Tianon Gravi 2019-08-09 16:56:56 -07:00
parent cb83d0646a
commit 58e6cfa712
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lib/private/Setup/PostgreSQL.php
View File

@ -104,7 +104,7 @@ class PostgreSQL extends AbstractDatabase {
private function createDatabase(IDBConnection $connection) {
if (!$this->databaseExists($connection)) {
//The database does not exists... let's create it
$query = $connection->prepare("CREATE DATABASE " . addslashes($this->dbName) . " OWNER " . addslashes($this->dbUser));
$query = $connection->prepare('CREATE DATABASE ' . pg_escape_identifier($this->dbName) . ' OWNER ' . pg_escape_identifier($this->dbUser));
try {
$query->execute();
} catch (DatabaseException $e) {
@ -112,7 +112,7 @@ class PostgreSQL extends AbstractDatabase {
$this->logger->logException($e);
}
} else {
$query = $connection->prepare("REVOKE ALL PRIVILEGES ON DATABASE " . addslashes($this->dbName) . " FROM PUBLIC");
$query = $connection->prepare('REVOKE ALL PRIVILEGES ON DATABASE ' . pg_escape_identifier($this->dbName) . ' FROM PUBLIC');
try {
$query->execute();
} catch (DatabaseException $e) {
@ -152,10 +152,10 @@ class PostgreSQL extends AbstractDatabase {
}
// create the user
$query = $connection->prepare("CREATE USER " . addslashes($this->dbUser) . " CREATEDB PASSWORD '" . addslashes($this->dbPassword) . "'");
$query = $connection->prepare('CREATE USER ' . pg_escape_identifier($this->dbUser) . ' CREATEDB PASSWORD ' . pg_escape_literal($this->dbPassword));
$query->execute();
if ($this->databaseExists($connection)) {
$query = $connection->prepare('GRANT CONNECT ON DATABASE ' . addslashes($this->dbName) . ' TO '.addslashes($this->dbUser));
$query = $connection->prepare('GRANT CONNECT ON DATABASE ' . pg_escape_identifier($this->dbName) . ' TO ' . pg_escape_identifier($this->dbUser));
$query->execute();
}
} catch (DatabaseException $e) {