Fix SQL injection in pg_insert_id()

Properly escape the $tablename and $fieldname parameters used to build the sequence name.
author: Damien Regad <dregad@mantisbt.org> 2025-04-26 17:45:53 +0200
committer: Damien Regad <dregad@mantisbt.org> 2025-05-01 13:26:14 +0200
commit: 11107d6d6e5160b62e05dff8a3a2678cf0e3a426 (patch)
tree: d12d2481d167bd8c03e27275225e243bc4fd7e02 /drivers
parent: 8659a3e34b5b144a54c24827e94e94f1ccf9492c (diff)
download: adodb-11107d6d6e5160b62e05dff8a3a2678cf0e3a426.tar.gz
adodb-11107d6d6e5160b62e05dff8a3a2678cf0e3a426.tar.bz2
adodb-11107d6d6e5160b62e05dff8a3a2678cf0e3a426.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
index b1d161d7..5cbe77ed 100644
--- a/drivers/adodb-postgres64.inc.php
+++ b/drivers/adodb-postgres64.inc.php
@@ -138,7 +138,8 @@ class ADODB_postgres64 extends ADOConnection{
 	// get the last id - never tested
 	function pg_insert_id($tablename,$fieldname)
 	{
-		$result=pg_query($this->_connectionID, 'SELECT last_value FROM '. $tablename .'_'. $fieldname .'_seq');
+		$sequence = pg_escape_identifier($this->_connectionID, $tablename .'_'. $fieldname .'_seq');
+		$result = pg_query($this->_connectionID, 'SELECT last_value FROM '. $sequence);
 		if ($result) {
 			$arr = @pg_fetch_row($result,0);
 			pg_free_result($result);
author	Damien Regad <dregad@mantisbt.org>	2025-04-26 17:45:53 +0200
committer	Damien Regad <dregad@mantisbt.org>	2025-05-01 13:26:14 +0200
commit	11107d6d6e5160b62e05dff8a3a2678cf0e3a426 (patch)
tree	d12d2481d167bd8c03e27275225e243bc4fd7e02 /drivers
parent	8659a3e34b5b144a54c24827e94e94f1ccf9492c (diff)
download	adodb-11107d6d6e5160b62e05dff8a3a2678cf0e3a426.tar.gz adodb-11107d6d6e5160b62e05dff8a3a2678cf0e3a426.tar.bz2 adodb-11107d6d6e5160b62e05dff8a3a2678cf0e3a426.zip