(fix)MON-14742 Escape database name in CentACL (#11602)

* fixed issue of using special chars in db names

* fix escape database name

* fixed security issue on sql requests

www/class/centreon-partition/mysqlTable.class.php

@@ -423,7 +423,7 @@ public function isValid()
     public function exists()
     {
         try {
-            $DBRESULT = $this->db->query("use " . $this->schema);
+            $DBRESULT = $this->db->query("use `" . $this->schema . "`");
         } catch (\PDOException $e) {
             throw new Exception(
                 "SQL Error: Cannot use database "

www/class/centreon-partition/partEngine.class.php

@@ -236,7 +236,7 @@ private function createDailyPartitions($table, $createPastPartitions): string
      */
     public function createParts($table, $db, $createPastPartitions): void
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if ($table->exists()) {
             throw new Exception("Warning: Table " . $tableName . " already exists\n");
         }
@@ -253,7 +253,7 @@ public function createParts($table, $db, $createPastPartitions): void
         }
 
         try {
-            $dbResult = $db->query("use " . $table->getSchema());
+            $dbResult = $db->query("use `" . $table->getSchema() . "`");
         } catch (\PDOException $e) {
             throw new Exception(
                 "SQL Error: Cannot use database "
@@ -325,7 +325,7 @@ public function purgeParts($table, $db)
             $condition = $this->purgeDailyPartitionCondition($table);
         }
 
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if (!$table->exists()) {
             throw new Exception("Error: Table " . $tableName . " does not exists\n");
         }
@@ -364,7 +364,7 @@ public function purgeParts($table, $db)
      */
     public function migrate($table, $db)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
 
         $db->query("SET bulk_insert_buffer_size= 1024 * 1024 * 256");
 
@@ -411,7 +411,7 @@ public function migrate($table, $db)
      */
     public function updateParts($table, $db)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
 
         //verifying if table is partitioned
         if ($this->isPartitioned($table, $db) === false) {
@@ -433,7 +433,7 @@ public function updateParts($table, $db)
      */
     public function optimizeTablePartitions($table, $db)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if (!$table->exists()) {
             throw new Exception("Optimize error: Table " . $tableName . " does not exists\n");
         }
@@ -472,7 +472,7 @@ public function optimizeTablePartitions($table, $db)
      */
     public function listParts($table, $db, $throwException = true)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if (!$table->exists()) {
             throw new Exception("Parts list error: Table " . $tableName . " does not exists\n");
         }
@@ -521,7 +521,7 @@ public function listParts($table, $db, $throwException = true)
      */
     public function backupParts($table, $db)
     {
-        $tableName = $table->getSchema() . "." . $table->getName();
+        $tableName = "`" . $table->getSchema() . "`." . $table->getName();
         if (!$table->exists()) {
             throw new Exception("Error: Table " . $tableName . " does not exists\n");
         }

www/install/steps/process/createDbUser.php

@@ -82,7 +82,7 @@
 
 // creating the user - mandatory for MySQL DB
 $alterQuery = "ALTER USER :dbUser@:host IDENTIFIED WITH mysql_native_password BY :dbPass";
-$query = "GRANT ALL PRIVILEGES ON %s.* TO '" . $parameters['db_user'] . "'@'" . $host . "'";
+$query = "GRANT ALL PRIVILEGES ON `%s`.* TO '" . $parameters['db_user'] . "'@'" . $host . "'";
 $flushQuery = "FLUSH PRIVILEGES";
 
 try {

www/install/steps/process/insertBaseConf.php

@@ -65,7 +65,7 @@
  * Create tables
  */
 try {
-    $result = $link->query('use ' . $parameters['db_configuration']);
+    $result = $link->query(sprintf('use `%s`', $parameters['db_configuration']));
     if (!$result) {
         throw new \Exception('Cannot access to "' . $parameters['db_configuration'] . '" database');
     }

www/install/steps/process/installConfigurationDb.php

@@ -82,7 +82,7 @@
 }
 
 try {
-    $link->exec("CREATE DATABASE " . $parameters['db_configuration']);
+    $link->exec(sprintf('CREATE DATABASE `%s`', $parameters['db_configuration']));
 } catch (\PDOException $e) {
     if (!is_file('../../tmp/createTables')) {
         $return['msg'] = $e->getMessage();
@@ -94,7 +94,7 @@
 /**
  * Create tables
  */
-$link->exec('use ' . $parameters['db_configuration']);
+$link->exec(sprintf('use `%s`', $parameters['db_configuration']));
 $result = splitQueries('../../createTables.sql', ';', $link, '../../tmp/createTables');
 if ("0" != $result) {
     $return['msg'] = $result;

www/install/steps/process/installStorageDb.php

@@ -61,7 +61,7 @@
 }
 
 try {
-    $link->exec("CREATE DATABASE " . $parameters['db_storage']);
+    $link->exec(sprintf('CREATE DATABASE `%s`', $parameters['db_storage']));
 } catch (\PDOException $e) {
     if (!is_file('../../tmp/createTablesCentstorage')) {
         $return['msg'] = $e->getMessage();
@@ -79,7 +79,7 @@
 );
 
 try {
-    $result = $link->query('use ' . $parameters['db_storage']);
+    $result = $link->query(sprintf('use `%s`', $parameters['db_storage']));
     if (!$result) {
         throw new \Exception('Cannot access to "' . $parameters['db_storage'] . '" database');
     }