From ee17d64d7179ecef2c341b600cf6c3991ba22e5e Mon Sep 17 00:00:00 2001
From: Michael McAndrew <michaelmcandrew@thirdsectordesign.org>
Date: Sun, 2 Oct 2016 17:19:59 +0100
Subject: [PATCH] Michaelmcandrew safe dbname (#9148)

* Update index.php

better name for DB name safety check function.

* Update DAO.php

* adding - to help text

* updating test for testRequireSafeDBName
---
 CRM/Core/DAO.php                   | 7 ++++---
 install/index.php                  | 4 ++--
 tests/phpunit/CRM/Core/DAOTest.php | 8 ++++----
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/CRM/Core/DAO.php b/CRM/Core/DAO.php
index 96fff2b0b8..9f5672c840 100644
--- a/CRM/Core/DAO.php
+++ b/CRM/Core/DAO.php
@@ -2459,16 +2459,17 @@ SELECT contact_id
   }
 
   /**
-   * function to check valid db name containing only characters in [0-9,a-z,A-Z_]
+   * ensure database name is 'safe', i.e. only contains word characters (includes underscores)
+   * and dashes, and contains at least one [a-z] case insenstive.
    *
    * @param $database
    *
    * @return bool
    */
-  public static function requireValidDBName($database) {
+  public static function requireSafeDBName($database) {
     $matches = array();
     preg_match(
-      "/^[0-9]*[a-zA-Z_]+[a-zA-Z0-9_]*$/",
+      "/^[\w\-]*[a-z]+[\w\-]*$/i",
       $database,
       $matches
     );
diff --git a/install/index.php b/install/index.php
index a98269e903..4b685a3e01 100644
--- a/install/index.php
+++ b/install/index.php
@@ -469,9 +469,9 @@ class InstallRequirements {
         $testDetails = array(
           ts("MySQL %1 Configuration", array(1 => $dbName)),
           ts("Is the provided database name valid?"),
-          ts("The database name provided is not valid. Please use only 0-9, a-z, A-Z and _ as characters in the name."),
+          ts("The database name provided is not valid. Please use only 0-9, a-z, A-Z, _ and - as characters in the name."),
         );
-        if (!CRM_Core_DAO::requireValidDBName($databaseConfig['database'])) {
+        if (!CRM_Core_DAO::requireSafeDBName($databaseConfig['database'])) {
           $this->error($testDetails);
           return FALSE;
         }
diff --git a/tests/phpunit/CRM/Core/DAOTest.php b/tests/phpunit/CRM/Core/DAOTest.php
index a80eecc7ba..cdf8f1b96e 100644
--- a/tests/phpunit/CRM/Core/DAOTest.php
+++ b/tests/phpunit/CRM/Core/DAOTest.php
@@ -226,9 +226,9 @@ class CRM_Core_DAOTest extends CiviUnitTestCase {
   }
 
   /**
-   * requireValidDBName() method (to check valid database name)
+   * requireSafeDBName() method (to check valid database name)
    */
-  public function testRequireValidDBName() {
+  public function testRequireSafeDBName() {
     $databases = array(
       'testdb' => TRUE,
       'test_db' => TRUE,
@@ -236,7 +236,7 @@ class CRM_Core_DAOTest extends CiviUnitTestCase {
       '123testdb' => TRUE,
       'test12db34' => TRUE,
       'test_12_db34' => TRUE,
-      'test-db' => FALSE,
+      'test-db' => TRUE,
       'test;db' => FALSE,
       'test*&db' => FALSE,
       'testdb;Delete test' => FALSE,
@@ -245,7 +245,7 @@ class CRM_Core_DAOTest extends CiviUnitTestCase {
     );
     $testDetails = array();
     foreach ($databases as $database => $val) {
-      $this->assertEquals(CRM_Core_DAO::requireValidDBName($database), $val);
+      $this->assertEquals(CRM_Core_DAO::requireSafeDBName($database), $val);
     }
   }
 
-- 
2.25.1