From 25b93343baeaf8ad018dcd87b094e47a5c6a3e0a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fr=C3=A9d=C3=A9ric=20Guillot?= <fred@kanboard.net>
Date: Fri, 30 Jun 2023 21:08:11 -0700
Subject: [PATCH] Avoid potential SQL injections without breaking compatibility
 with plugins

---
 libs/picodb/lib/PicoDb/Database.php | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/libs/picodb/lib/PicoDb/Database.php b/libs/picodb/lib/PicoDb/Database.php
index 22c9d2fb6..df017ed82 100644
--- a/libs/picodb/lib/PicoDb/Database.php
+++ b/libs/picodb/lib/PicoDb/Database.php
@@ -5,6 +5,7 @@ namespace PicoDb;
 use Closure;
 use PDOException;
 use LogicException;
+use PicoDb\SQLException;
 use PicoDb\Driver\Mssql;
 use PicoDb\Driver\Sqlite;
 use PicoDb\Driver\Mysql;
@@ -215,6 +216,11 @@ class Database
             return $value;
         }
 
+        // Avoid potential SQL injection
+        if (preg_match('/^[a-z0-9_]+$/', $value) === 0) {
+            throw new SQLException('Invalid identifier: '.$value);
+        }
+
         if (! empty($table)) {
             return $this->driver->escape($table).'.'.$this->driver->escape($value);
         }