From 58e6cfa712d76156bd34fe60036343ba9e6598d5 Mon Sep 17 00:00:00 2001
From: Tianon Gravi <admwiggin@gmail.com>
Date: Fri, 9 Aug 2019 16:56:56 -0700
Subject: [PATCH] Replace usage of "addslashes" with pg_escape_identifier and
 pg_escape_literal

Signed-off-by: Tianon Gravi <admwiggin@gmail.com>
---
 lib/private/Setup/PostgreSQL.php | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/lib/private/Setup/PostgreSQL.php b/lib/private/Setup/PostgreSQL.php
index 6d1b5ca292..1de6863393 100644
--- a/lib/private/Setup/PostgreSQL.php
+++ b/lib/private/Setup/PostgreSQL.php
@@ -104,7 +104,7 @@ class PostgreSQL extends AbstractDatabase {
 	private function createDatabase(IDBConnection $connection) {
 		if (!$this->databaseExists($connection)) {
 			//The database does not exists... let's create it
-			$query = $connection->prepare("CREATE DATABASE " . addslashes($this->dbName) . " OWNER " . addslashes($this->dbUser));
+			$query = $connection->prepare('CREATE DATABASE ' . pg_escape_identifier($this->dbName) . ' OWNER ' . pg_escape_identifier($this->dbUser));
 			try {
 				$query->execute();
 			} catch (DatabaseException $e) {
@@ -112,7 +112,7 @@ class PostgreSQL extends AbstractDatabase {
 				$this->logger->logException($e);
 			}
 		} else {
-			$query = $connection->prepare("REVOKE ALL PRIVILEGES ON DATABASE " . addslashes($this->dbName) . " FROM PUBLIC");
+			$query = $connection->prepare('REVOKE ALL PRIVILEGES ON DATABASE ' . pg_escape_identifier($this->dbName) . ' FROM PUBLIC');
 			try {
 				$query->execute();
 			} catch (DatabaseException $e) {
@@ -152,10 +152,10 @@ class PostgreSQL extends AbstractDatabase {
 			}
 
 			// create the user
-			$query = $connection->prepare("CREATE USER " . addslashes($this->dbUser) . " CREATEDB PASSWORD '" . addslashes($this->dbPassword) . "'");
+			$query = $connection->prepare('CREATE USER ' . pg_escape_identifier($this->dbUser) . ' CREATEDB PASSWORD ' . pg_escape_literal($this->dbPassword));
 			$query->execute();
 			if ($this->databaseExists($connection)) {
-				$query = $connection->prepare('GRANT CONNECT ON DATABASE ' . addslashes($this->dbName) . ' TO '.addslashes($this->dbUser));
+				$query = $connection->prepare('GRANT CONNECT ON DATABASE ' . pg_escape_identifier($this->dbName) . ' TO ' . pg_escape_identifier($this->dbUser));
 				$query->execute();
 			}
 		} catch (DatabaseException $e) {