From f744aaaed10d3e26a0468ecb08e623d46082e3fb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 24 Jan 2026 12:49:21 +0000 Subject: [PATCH] Harden database helper Co-authored-by: LeOSW42 <673670+LeOSW42@users.noreply.github.com> --- includes/database.php | 22 +++++++++++++++++++--- models/d.locales.php | 2 +- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/includes/database.php b/includes/database.php index a34407f..6824bca 100644 --- a/includes/database.php +++ b/includes/database.php @@ -2,12 +2,28 @@ namespace Kabano; +function sql_escape_connection_value($value) { + $value = (string)$value; + $value = str_replace(['\\', "'"], ['\\\\', "\\'"], $value); + return "'".$value."'"; +} + function sql_connect() { global $config; - return pg_connect( - "host=".$config['SQL_host']." dbname=".$config['SQL_db']." user=".$config['SQL_user']." password=".$config['SQL_pass'] - ) or die ("Could not connect to server\n"); + $connection = "host=".sql_escape_connection_value($config['SQL_host']) + ." dbname=".sql_escape_connection_value($config['SQL_db']) + ." user=".sql_escape_connection_value($config['SQL_user']) + ." password=".sql_escape_connection_value($config['SQL_pass']); + + $con = @pg_connect($connection); + if (!$con) { + $error = error_get_last(); + $message = $error && isset($error['message']) ? $error['message'] : "unknown error"; + die("Could not connect to server: ".$message."\n"); + } + + return $con; } ?> diff --git a/models/d.locales.php b/models/d.locales.php index f908a1c..546d635 100755 --- a/models/d.locales.php +++ b/models/d.locales.php @@ -1,4 +1,4 @@ -