From 92555ea2bfacb6ca1e948c5ea3aef837ebf298ec Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:48:16 +0000
Subject: [PATCH 2/8] Centralize SQL connections

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
 includes/database.php | 13 +++++++++++++
 models/d.blog.php     | 27 ++++++++++-----------------
 models/d.comments.php | 18 +++++++-----------
 models/d.locales.php  | 12 ++++++------
 models/d.poi.php      | 24 +++++++++---------------
 models/d.users.php    | 33 ++++++++++++---------------------
 models/d.wiki.php     | 21 ++++++++-------------
 7 files changed, 65 insertions(+), 83 deletions(-)
 create mode 100644 includes/database.php

diff --git a/includes/database.php b/includes/database.php
new file mode 100644
index 0000000..a34407f
--- /dev/null
+++ b/includes/database.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Kabano;
+
+function sql_connect() {
+	global $config;
+
+	return pg_connect(
+		"host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass']
+	) or die ("Could not connect to server\n");
+}
+
+?>
diff --git a/models/d.blog.php b/models/d.blog.php
index 3012025..8cd852f 100755
--- a/models/d.blog.php
+++ b/models/d.blog.php
@@ -11,6 +11,7 @@ namespace Kabano;
 **********************************************************/
 
 require_once($config['third_folder']."Md/MarkdownExtra.inc.php");
+require_once($config['includes_folder']."database.php");
 
 class BlogArticle
 {
@@ -39,8 +40,7 @@ class BlogArticle
 	public function checkPermalink($permalink, $withArchive=0, $elementNb=0) {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT content_versions.id AS version_id, * FROM contents INNER JOIN content_locales ON contents.id = content_locales.content_id INNER JOIN content_versions ON content_locales.id = content_versions.locale_id WHERE permalink=$1 AND type='blog'";
 		if($withArchive==0) {
@@ -100,8 +100,7 @@ class BlogArticle
 		
 		$this->version++;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		pg_query($con, "BEGIN");
 
@@ -155,8 +154,7 @@ class BlogArticle
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE contents SET is_public=FALSE WHERE permalink=$1 AND type='blog'";
 
@@ -180,8 +178,7 @@ class BlogArticle
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE contents SET is_public=TRUE WHERE permalink=$1 AND type='blog'";
 
@@ -205,8 +202,7 @@ class BlogArticle
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		pg_query($con, "BEGIN");
 
@@ -296,8 +292,7 @@ class BlogArticles
 	public function listArticles($first, $count, $archive=0) {
 		global $config;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT content_versions.id AS version_id, * FROM contents INNER JOIN content_locales ON contents.id = content_locales.content_id INNER JOIN content_versions ON content_locales.id = content_versions.locale_id WHERE is_archive=FALSE ";
 		if ($archive != 1)
@@ -325,8 +320,7 @@ class BlogArticles
 	public function number($archive=0) {
 		global $config;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT content_versions.id AS version_id, * FROM contents INNER JOIN content_locales ON contents.id = content_locales.content_id INNER JOIN content_versions ON content_locales.id = content_versions.locale_id WHERE is_archive=FALSE ";
 		if ($archive == 1)
@@ -349,8 +343,7 @@ class BlogArticles
 	public function getHistory($url) {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT content_versions.id AS version_id, * FROM contents INNER JOIN content_locales ON contents.id = content_locales.content_id INNER JOIN content_versions ON content_locales.id = content_versions.locale_id WHERE permalink=$1 AND type='blog' ORDER BY update_date DESC";
 
@@ -371,4 +364,4 @@ class BlogArticles
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/models/d.comments.php b/models/d.comments.php
index 4130b42..6d78292 100644
--- a/models/d.comments.php
+++ b/models/d.comments.php
@@ -11,6 +11,7 @@ namespace Kabano;
 **********************************************************/
 
 require_once($config['third_folder']."Md/MarkdownExtra.inc.php");
+require_once($config['includes_folder']."database.php");
 
 class Comment
 {
@@ -34,8 +35,7 @@ class Comment
 	public function checkID($id) {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT * FROM content_comments WHERE id=$1";
 
@@ -78,8 +78,7 @@ class Comment
 	public function insert() {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "INSERT INTO content_comments (version, creation_date, update_date, author, is_public, is_archive, content, comment, locale) VALUES
 			('0', $1, $2, $3, TRUE, FALSE, $4, $5, $6) RETURNING id";
@@ -101,8 +100,7 @@ class Comment
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE content_comments SET is_public = FALSE WHERE id = $1";
 
@@ -126,8 +124,7 @@ class Comment
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE content_comments SET is_public = TRUE WHERE id = $1";
 
@@ -180,8 +177,7 @@ class Comments
 	public function listComments($id, $archive=0) {
 		global $config;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT * FROM content_comments WHERE content = $1 ";
 		if ($archive == 0)
@@ -205,4 +201,4 @@ class Comments
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/models/d.locales.php b/models/d.locales.php
index 66840bd..f908a1c 100755
--- a/models/d.locales.php
+++ b/models/d.locales.php
@@ -1,5 +1,5 @@
 <?
-
+ 
 namespace Kabano;
 
 /**********************************************************
@@ -10,6 +10,8 @@ namespace Kabano;
 ***********************************************************
 **********************************************************/
 
+require_once($config['includes_folder']."database.php");
+
 class Locale
 {
     public $name = 0;
@@ -22,8 +24,7 @@ class Locale
 	public function checkName($name) {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT * FROM locales WHERE name=$1";
 
@@ -73,8 +74,7 @@ class Locales
 	public function getAll() {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT * FROM locales";
 
@@ -95,4 +95,4 @@ class Locales
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/models/d.poi.php b/models/d.poi.php
index 4986020..4888b66 100755
--- a/models/d.poi.php
+++ b/models/d.poi.php
@@ -12,6 +12,7 @@ namespace Kabano;
 
 require_once($config['third_folder']."Md/MarkdownExtra.inc.php");
 require_once($config['includes_folder']."poi_types.struct.php");
+require_once($config['includes_folder']."database.php");
 
 class Poi
 {
@@ -46,8 +47,7 @@ class Poi
 	public function checkPermalink($permalink, $withArchive=0, $elementNb=0) {
 	    global $config;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 	    $query = "SELECT
             content_versions.id AS version_id,
@@ -148,8 +148,7 @@ class Poi
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		pg_query($con, "BEGIN");
 
@@ -222,8 +221,7 @@ class Poi
 
 		$this->version++;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		pg_query($con, "BEGIN");
 
@@ -278,8 +276,7 @@ class Poi
 		global $config;
 		global $user;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE contents SET is_public = FALSE WHERE id = $1";
 
@@ -302,8 +299,7 @@ class Poi
 		global $config;
 		global $user;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE contents SET is_public = TRUE WHERE id = $1";
 
@@ -328,8 +324,7 @@ class Pois
 	public function listPois($archive=0) {
 		global $config;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT
             content_versions.id AS version_id,
@@ -392,8 +387,7 @@ class Pois
 	public function getHistory($permalink) {
 		global $config;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT
             content_versions.id AS version_id,
@@ -454,4 +448,4 @@ class Pois
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/models/d.users.php b/models/d.users.php
index d75f61a..8a1361e 100755
--- a/models/d.users.php
+++ b/models/d.users.php
@@ -11,6 +11,7 @@ namespace Kabano;
 **********************************************************/
 
 require_once($config['models_folder']."d.locales.php");
+require_once($config['includes_folder']."database.php");
 
 // This array is related to the defined SQL enum, do not touch.
 $ranks = array(
@@ -51,8 +52,7 @@ class User
 	public function checkID($id) {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT * FROM users WHERE id=$1";
 
@@ -79,8 +79,7 @@ class User
 	public function login($login, $pass) {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT * FROM users WHERE name=$1 AND password=$2";
 
@@ -154,8 +153,7 @@ class User
 	public function availableName() {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT * FROM users WHERE lower(name)=$1";
 
@@ -184,8 +182,7 @@ class User
 	public function availableMail() {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT * FROM users WHERE lower(email)=$1";
 
@@ -222,8 +219,7 @@ class User
 		$this->locale = "fr_FR";
 		$this->timezone = "Europe/Paris";
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "INSERT INTO users (name, version, email, password, website, is_avatar_present, is_archive, rank, locale, timezone, visit_date, register_date) VALUES
 			($1, '0', $2, $3, $4, FALSE, FALSE, 'registered', $5, $6, $7, $8)";
@@ -248,8 +244,7 @@ class User
 			$this->website = "http://".$this->website;
 		$this->version++;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		if($this->password=='') {
 			$query = "UPDATE users SET version = $1, name = $2, is_avatar_present = $3, locale = $4, rank = $5, email = $6, website = $7, timezone = $8 WHERE id = $9";
@@ -283,8 +278,7 @@ class User
 		$newPass = randomPassword();
 		$this->password = sha1($newPass);
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE users SET password = $1 WHERE email = $2";
 
@@ -325,8 +319,7 @@ class User
 
 		$this->visit_date = date('r');
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE users SET visit_date = $1 WHERE id = $2";
 
@@ -403,8 +396,7 @@ class Users
 	public function number() {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT id FROM users";
 
@@ -424,8 +416,7 @@ class Users
 	public function list_users($first, $count, $orderby = "id", $order = "ASC") {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$orders=array("id","name","lastlogin","registered","website","role");
 		$key=array_search($orderby,$orders);
@@ -452,4 +443,4 @@ class Users
 	}
 }
 
-?>
\ No newline at end of file
+?>
diff --git a/models/d.wiki.php b/models/d.wiki.php
index 5970e23..e86c048 100755
--- a/models/d.wiki.php
+++ b/models/d.wiki.php
@@ -11,6 +11,7 @@ namespace Kabano;
 **********************************************************/
 
 require_once($config['third_folder']."Md/MarkdownExtra.inc.php");
+require_once($config['includes_folder']."database.php");
 
 class WikiPage
 {
@@ -38,8 +39,7 @@ class WikiPage
 	public function checkPermalink($permalink, $withArchive=0, $elementNb=0) {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT content_versions.id AS version_id, * FROM contents INNER JOIN content_locales ON contents.id = content_locales.content_id INNER JOIN content_versions ON content_locales.id = content_versions.locale_id WHERE permalink=$1 AND type='wiki'";
 		if($withArchive==0) {
@@ -99,8 +99,7 @@ class WikiPage
 
 		$this->version++;
 
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		pg_query($con, "BEGIN");
 
@@ -148,8 +147,7 @@ class WikiPage
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE contents SET is_public=FALSE WHERE permalink=$1 AND type='wiki'";
 
@@ -173,8 +171,7 @@ class WikiPage
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "UPDATE contents SET is_public=TRUE WHERE permalink=$1 AND type='wiki'";
 
@@ -198,8 +195,7 @@ class WikiPage
 		global $config;
 		global $user;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		pg_query($con, "BEGIN");
 
@@ -280,8 +276,7 @@ class WikiPages
 	public function getHistory($url) {
 		global $config;
 		
-		$con = pg_connect("host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'])
-			or die ("Could not connect to server\n");
+		$con = sql_connect();
 
 		$query = "SELECT content_versions.id AS version_id, * FROM contents INNER JOIN content_locales ON contents.id = content_locales.content_id INNER JOIN content_versions ON content_locales.id = content_versions.locale_id WHERE permalink=$1 AND type='wiki' ORDER BY update_date DESC";
 
@@ -302,4 +297,4 @@ class WikiPages
 	}
 }
 
-?>
\ No newline at end of file
+?>

From f744aaaed10d3e26a0468ecb08e623d46082e3fb Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:49:21 +0000
Subject: [PATCH 3/8] Harden database helper

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
 includes/database.php | 22 +++++++++++++++++++---
 models/d.locales.php  |  2 +-
 2 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/includes/database.php b/includes/database.php
index a34407f..6824bca 100644
--- a/includes/database.php
+++ b/includes/database.php
@@ -2,12 +2,28 @@
 
 namespace Kabano;
 
+function sql_escape_connection_value($value) {
+	$value = (string)$value;
+	$value = str_replace(['\\', "'"], ['\\\\', "\\'"], $value);
+	return "'".$value."'";
+}
+
 function sql_connect() {
 	global $config;
 
-	return pg_connect(
-		"host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass']
-	) or die ("Could not connect to server\n");
+	$connection = "host=".sql_escape_connection_value($config['SQL_host'])
+		." dbname=".sql_escape_connection_value($config['SQL_db'])
+		." user=".sql_escape_connection_value($config['SQL_user'])
+		." password=".sql_escape_connection_value($config['SQL_pass']);
+
+	$con = @pg_connect($connection);
+	if (!$con) {
+		$error = error_get_last();
+		$message = $error && isset($error['message']) ? $error['message'] : "unknown error";
+		die("Could not connect to server: ".$message."\n");
+	}
+
+	return $con;
 }
 
 ?>
diff --git a/models/d.locales.php b/models/d.locales.php
index f908a1c..546d635 100755
--- a/models/d.locales.php
+++ b/models/d.locales.php
@@ -1,4 +1,4 @@
-<?
+<?php
  
 namespace Kabano;
 

From 419d95eb4c59060deba812a55dfbfed80e086990 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:50:40 +0000
Subject: [PATCH 4/8] Refine SQL connection escaping

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
 includes/database.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/includes/database.php b/includes/database.php
index 6824bca..4d41bdf 100644
--- a/includes/database.php
+++ b/includes/database.php
@@ -4,7 +4,8 @@ namespace Kabano;
 
 function sql_escape_connection_value($value) {
 	$value = (string)$value;
-	$value = str_replace(['\\', "'"], ['\\\\', "\\'"], $value);
+	$value = str_replace("\0", '', $value);
+	$value = str_replace(['\\', "'", '"'], ['\\\\', "\\'", '\\"'], $value);
 	return "'".$value."'";
 }
 
@@ -16,7 +17,7 @@ function sql_connect() {
 		." user=".sql_escape_connection_value($config['SQL_user'])
 		." password=".sql_escape_connection_value($config['SQL_pass']);
 
-	$con = @pg_connect($connection);
+	$con = pg_connect($connection);
 	if (!$con) {
 		$error = error_get_last();
 		$message = $error && isset($error['message']) ? $error['message'] : "unknown error";

From 57a81bbed0b18e4d475327ddad2e9239e16709d1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:52:12 +0000
Subject: [PATCH 5/8] Use pg_escape_string for connection

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
 includes/database.php | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/includes/database.php b/includes/database.php
index 4d41bdf..738eca9 100644
--- a/includes/database.php
+++ b/includes/database.php
@@ -2,20 +2,13 @@
 
 namespace Kabano;
 
-function sql_escape_connection_value($value) {
-	$value = (string)$value;
-	$value = str_replace("\0", '', $value);
-	$value = str_replace(['\\', "'", '"'], ['\\\\', "\\'", '\\"'], $value);
-	return "'".$value."'";
-}
-
 function sql_connect() {
 	global $config;
 
-	$connection = "host=".sql_escape_connection_value($config['SQL_host'])
-		." dbname=".sql_escape_connection_value($config['SQL_db'])
-		." user=".sql_escape_connection_value($config['SQL_user'])
-		." password=".sql_escape_connection_value($config['SQL_pass']);
+	$connection = "host='".pg_escape_string((string)$config['SQL_host'])."'"
+		." dbname='".pg_escape_string((string)$config['SQL_db'])."'"
+		." user='".pg_escape_string((string)$config['SQL_user'])."'"
+		." password='".pg_escape_string((string)$config['SQL_pass'])."'";
 
 	$con = pg_connect($connection);
 	if (!$con) {

From d2562a25dfc3213eaad1d902285c8ad4ca2b4a36 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:54:31 +0000
Subject: [PATCH 6/8] Restore safe connection quoting

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
 includes/database.php | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/includes/database.php b/includes/database.php
index 738eca9..b6a76f7 100644
--- a/includes/database.php
+++ b/includes/database.php
@@ -5,10 +5,10 @@ namespace Kabano;
 function sql_connect() {
 	global $config;
 
-	$connection = "host='".pg_escape_string((string)$config['SQL_host'])."'"
-		." dbname='".pg_escape_string((string)$config['SQL_db'])."'"
-		." user='".pg_escape_string((string)$config['SQL_user'])."'"
-		." password='".pg_escape_string((string)$config['SQL_pass'])."'";
+	$connection = "host=".sql_escape_connection_value($config['SQL_host'])
+		." dbname=".sql_escape_connection_value($config['SQL_db'])
+		." user=".sql_escape_connection_value($config['SQL_user'])
+		." password=".sql_escape_connection_value($config['SQL_pass']);
 
 	$con = pg_connect($connection);
 	if (!$con) {
@@ -20,4 +20,11 @@ function sql_connect() {
 	return $con;
 }
 
+function sql_escape_connection_value($value) {
+	$value = (string)$value;
+	$value = str_replace("\0", '', $value);
+	$value = str_replace(['\\', "'"], ['\\\\', "\\'"], $value);
+	return "'".$value."'";
+}
+
 ?>

From e925e6424aaa7d32ed9d416e17c3a4fe16cc0ea3 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:58:37 +0000
Subject: [PATCH 7/8] Refine SQL helper escaping

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
 includes/database.php | 13 +++++--------
 1 file changed, 5 insertions(+), 8 deletions(-)

diff --git a/includes/database.php b/includes/database.php
index b6a76f7..e8c2213 100644
--- a/includes/database.php
+++ b/includes/database.php
@@ -5,10 +5,10 @@ namespace Kabano;
 function sql_connect() {
 	global $config;
 
-	$connection = "host=".sql_escape_connection_value($config['SQL_host'])
-		." dbname=".sql_escape_connection_value($config['SQL_db'])
-		." user=".sql_escape_connection_value($config['SQL_user'])
-		." password=".sql_escape_connection_value($config['SQL_pass']);
+	$connection = "host='".sql_escape_connection_value($config['SQL_host'])."'"
+		." dbname='".sql_escape_connection_value($config['SQL_db'])."'"
+		." user='".sql_escape_connection_value($config['SQL_user'])."'"
+		." password='".sql_escape_connection_value($config['SQL_pass'])."'";
 
 	$con = pg_connect($connection);
 	if (!$con) {
@@ -23,8 +23,5 @@ function sql_connect() {
 function sql_escape_connection_value($value) {
 	$value = (string)$value;
 	$value = str_replace("\0", '', $value);
-	$value = str_replace(['\\', "'"], ['\\\\', "\\'"], $value);
-	return "'".$value."'";
+	return pg_escape_string($value);
 }
-
-?>

From 6051cf57d1345e32f750b029da7a5712251d19f8 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 13:01:39 +0000
Subject: [PATCH 8/8] Simplify database connection helper

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
 includes/database.php | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/includes/database.php b/includes/database.php
index e8c2213..46f30d8 100644
--- a/includes/database.php
+++ b/includes/database.php
@@ -5,10 +5,10 @@ namespace Kabano;
 function sql_connect() {
 	global $config;
 
-	$connection = "host='".sql_escape_connection_value($config['SQL_host'])."'"
-		." dbname='".sql_escape_connection_value($config['SQL_db'])."'"
-		." user='".sql_escape_connection_value($config['SQL_user'])."'"
-		." password='".sql_escape_connection_value($config['SQL_pass'])."'";
+	$connection = "host=".$config['SQL_host']
+		." dbname=".$config['SQL_db']
+		." user=".$config['SQL_user']
+		." password=".$config['SQL_pass'];
 
 	$con = pg_connect($connection);
 	if (!$con) {
@@ -19,9 +19,3 @@ function sql_connect() {
 
 	return $con;
 }
-
-function sql_escape_connection_value($value) {
-	$value = (string)$value;
-	$value = str_replace("\0", '', $value);
-	return pg_escape_string($value);
-}