Merge pull request #7058 from christianbeeznest/GH-3667

Install: Sanitize database name and reflect effective value in summary - refs #3667

Author: christianbeeznest

assets/vue/components/installer/Step4.vue

@@ -106,6 +106,13 @@
           for="dbNameForm"
         />
       </div>
+      <small v-if="'update' !== installerData.installType">
+        {{
+          t(
+            "Only letters, digits and underscore (_) are allowed in the database name. Invalid characters will be removed automatically.",
+          )
+        }}
+      </small>
     </div>
 
     <div
@@ -128,7 +135,7 @@
       v-if="installerData.stepData.dbExists"
       :closable="false"
       severity="warn"
-      style="margin-bottom: 8px;"
+      style="margin-bottom: 8px"
     >
       <span v-html="t('A database with the same name already exists. It will be deleted.')" />
     </Message>
@@ -230,8 +237,10 @@ const { t } = useI18n()
 
 const installerData = inject("installerData")
 
-// Database Name fix replace weird chars
-if ("update" !== installerData.value.installType) {
-  installerData.value.dbNameForm = installerData.value.dbNameForm.replace(/[-*$ .]/g, "")
+// Normalize database name on the client so it matches backend sanitization.
+// We only allow letters, digits and underscore. Other characters are stripped.
+if (installerData.value.installType !== "update") {
+  const rawName = installerData.value.stepData?.dbNameForm || ""
+  installerData.value.stepData.dbNameForm = rawName.replace(/[^a-zA-Z0-9_]/g, "")
 }
 </script>

assets/vue/components/installer/Step6.vue

@@ -226,7 +226,7 @@
         />
         <div
           class="field text-body-2"
-          v-text="installerData.stepData.dbNameForm"
+          v-text="sanitizedDbName"
         />
       </div>
 
@@ -379,7 +379,7 @@
 </template>
 
 <script setup>
-import { inject, ref } from "vue"
+import { inject, ref, computed } from "vue"
 import { useI18n } from "vue-i18n"
 
 import Message from "primevue/message"
@@ -392,6 +392,19 @@ const { t } = useI18n()
 
 const installerData = inject("installerData")
 
+// Compute the sanitized database name as it will be created on the server.
+const sanitizedDbName = computed(() => {
+  const raw = installerData.value?.stepData?.dbNameForm || ""
+
+  // For updates we trust the existing database name as-is.
+  if (installerData.value.installType === "update" || installerData.value.isUpdateAvailable) {
+    return raw
+  }
+
+  // Same rule as backend: only letters, digits and underscore are kept.
+  return raw.replace(/[^a-zA-Z0-9_]/g, "")
+})
+
 const loading = ref(false)
 const isButtonDisabled = ref(installerData.value.isUpdateAvailable)
 const isExecutable = ref("")
@@ -423,7 +436,7 @@ function btnStep6OnClick() {
 }
 
 function startMigration(updatePath) {
-  var xhr = new XMLHttpRequest()
+  const xhr = new XMLHttpRequest()
   xhr.onreadystatechange = function () {
     if (xhr.readyState === 4 && xhr.status !== 200) {
       loading.value = false
@@ -442,7 +455,7 @@ function startMigration(updatePath) {
 
 function pollMigrationStatus() {
   setTimeout(() => {
-    var xhr = new XMLHttpRequest()
+    const xhr = new XMLHttpRequest()
     xhr.onreadystatechange = function () {
       if (xhr.readyState === 4 && xhr.status === 200) {
         const response = JSON.parse(xhr.responseText)

public/main/install/index.php

@@ -514,16 +514,18 @@
             $dbPortForm
         );
         $manager = Database::getManager();
-        $dbNameForm = preg_replace('/[^a-zA-Z0-9_\-]/', '', $dbNameForm);
 
-        // Drop and create the database anyways
+        // Sanitize database name: only letters, numbers and underscore
+        $dbNameForm = preg_replace('/[^a-zA-Z0-9_]/', '', $dbNameForm);
+
+        // Drop and create the database anyway
         error_log("Drop database $dbNameForm");
         $schemaManager = $manager->getConnection()->createSchemaManager();
 
         try {
             $schemaManager->dropDatabase($dbNameForm);
         } catch (\Doctrine\DBAL\Exception $e) {
-            error_log("Database ".$dbNameForm." does not exists");
+            error_log("Database ".$dbNameForm." does not exist");
         }
 
         $schemaManager->createDatabase($dbNameForm);