From 57a81bbed0b18e4d475327ddad2e9239e16709d1 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sat, 24 Jan 2026 12:52:12 +0000
Subject: [PATCH] Use pg_escape_string for connection

Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com>
---
 includes/database.php | 15 ++++-----------
 1 file changed, 4 insertions(+), 11 deletions(-)

diff --git a/includes/database.php b/includes/database.php
index 4d41bdf..738eca9 100644
--- a/includes/database.php
+++ b/includes/database.php
@@ -2,20 +2,13 @@
 
 namespace Kabano;
 
-function sql_escape_connection_value($value) {
-	$value = (string)$value;
-	$value = str_replace("\0", '', $value);
-	$value = str_replace(['\\', "'", '"'], ['\\\\', "\\'", '\\"'], $value);
-	return "'".$value."'";
-}
-
 function sql_connect() {
 	global $config;
 
-	$connection = "host=".sql_escape_connection_value($config['SQL_host'])
-		." dbname=".sql_escape_connection_value($config['SQL_db'])
-		." user=".sql_escape_connection_value($config['SQL_user'])
-		." password=".sql_escape_connection_value($config['SQL_pass']);
+	$connection = "host='".pg_escape_string((string)$config['SQL_host'])."'"
+		." dbname='".pg_escape_string((string)$config['SQL_db'])."'"
+		." user='".pg_escape_string((string)$config['SQL_user'])."'"
+		." password='".pg_escape_string((string)$config['SQL_pass'])."'";
 
 	$con = pg_connect($connection);
 	if (!$con) {