Description: Fix SQL injection in pg_insert_id()
 Properly escape the $tablename and $fieldname parameters used to build
 the sequence name.
Forwarded: https://github.com/ADOdb/ADOdb/issues/1070
Origin: https://github.com/ADOdb/ADOdb/commit/0774134f3311779495d16f74a35c872e353708c6.patch
Bug-Debian: https://bugs.debian.org/1104548
Author: Damien Regad <dregad@mantisbt.org>

From 11107d6d6e5160b62e05dff8a3a2678cf0e3a426 Mon Sep 17 00:00:00 2001
From: Damien Regad <dregad@mantisbt.org>
Date: Sat, 26 Apr 2025 17:45:53 +0200
Subject: [PATCH 1/2] Fix SQL injection in pg_insert_id()

Properly escape the $tablename and $fieldname parameters used to build
the sequence name.
---
 drivers/adodb-postgres64.inc.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/adodb-postgres64.inc.php b/drivers/adodb-postgres64.inc.php
index b1d161d7c..5cbe77ed2 100644
--- a/drivers/adodb-postgres64.inc.php
+++ b/drivers/adodb-postgres64.inc.php
@@ -138,7 +138,8 @@ function IfNull( $field, $ifNull )
 	// get the last id - never tested
 	function pg_insert_id($tablename,$fieldname)
 	{
-		$result=pg_query($this->_connectionID, 'SELECT last_value FROM '. $tablename .'_'. $fieldname .'_seq');
+		$sequence = pg_escape_identifier($this->_connectionID, $tablename .'_'. $fieldname .'_seq');
+		$result = pg_query($this->_connectionID, 'SELECT last_value FROM '. $sequence);
 		if ($result) {
 			$arr = @pg_fetch_row($result,0);
 			pg_free_result($result);