[5.3] Consistent Database Name Validation (#44623)

Author: brianteeman

administrator/components/com_config/src/Model/ApplicationModel.php

@@ -299,6 +299,19 @@ public function save($data)
             'prefix'   => $data['dbprefix'],
         ];
 
+        // Validate database name
+        if (\in_array($options['driver'], ['pgsql', 'postgresql']) && !preg_match('#^[a-zA-Z_][0-9a-zA-Z_$]*$#', $options['database'])) {
+            $app->enqueueMessage(Text::_('COM_CONFIG_FIELD_DATABASE_NAME_INVALID_MSG_POSTGRES'), 'warning');
+
+            return false;
+        }
+
+        if (\in_array($options['driver'], ['mysql', 'mysqli']) && preg_match('#[\\\\\/]#', $options['database'])) {
+            $app->enqueueMessage(Text::_('COM_CONFIG_FIELD_DATABASE_NAME_INVALID_MSG_MYSQL'), 'warning');
+
+            return false;
+        }
+
         if ((int) $data['dbencryption'] !== 0) {
             $options['ssl'] = [
                 'enable'             => true,

administrator/language/en-GB/com_config.ini

@@ -55,6 +55,8 @@ COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE_VALUE_ONE_WAY="One-way authentication"
 COM_CONFIG_FIELD_DATABASE_ENCRYPTION_MODE_VALUE_TWO_WAY="Two-way authentication"
 COM_CONFIG_FIELD_DATABASE_ENCRYPTION_VERIFY_SERVER_CERT_LABEL="Verify Server Certificate"
 COM_CONFIG_FIELD_DATABASE_HOST_LABEL="Host"
+COM_CONFIG_FIELD_DATABASE_NAME_INVALID_MSG_MYSQL="The database name is invalid. It must not contain the following characters: \ /"
+COM_CONFIG_FIELD_DATABASE_NAME_INVALID_MSG_POSTGRES="The database name is invalid. It must start with a letter, followed by alphanumeric characters."
 COM_CONFIG_FIELD_DATABASE_NAME_LABEL="Database Name"
 COM_CONFIG_FIELD_DATABASE_PASSWORD_DESC="Do not edit this field unless absolutely necessary (eg after the transfer of the database to a new hosting provider)."
 COM_CONFIG_FIELD_DATABASE_PASSWORD_LABEL="Database Password"