From cb3fb7346c5208272daab496a9c94c050f947a2c Mon Sep 17 00:00:00 2001
From: soleuu <soleuu@gmail.com>
Date: Fri, 27 Sep 2019 15:11:36 +0000
Subject: [PATCH] escape schema/table/view identifier

---
 display.php | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/display.php b/display.php
index 588b3100..52c8240d 100644
--- a/display.php
+++ b/display.php
@@ -529,11 +529,11 @@
 		if (isset($_REQUEST['query'])) {
 			$query = $_REQUEST['query'];
 		} else {
-			$query = "SELECT * FROM {$_REQUEST['schema']}";
+			$query = "SELECT * FROM ".pg_escape_identifier($_REQUEST['schema']);
 			if ($_REQUEST['subject'] == 'view') {
-				$query = "{$query}.{$_REQUEST['view']};";
+				$query = "{$query}.".pg_escape_identifier($_REQUEST['view']).";";
 			} else {
-				$query = "{$query}.{$_REQUEST['table']};";
+				$query = "{$query}.".pg_escape_identifier($_REQUEST['table']).";";
 			}
 		}
 		//$query = isset($_REQUEST['query'])? $_REQUEST['query'] : "select * from {$_REQUEST['schema']}.{$_REQUEST['table']};";
-- 
2.39.5