From a4d2e077b899a2817a363971008ff15dc32ca281 Mon Sep 17 00:00:00 2001
From: Louis Lam <louislam@users.noreply.github.com>
Date: Sun, 31 Aug 2025 01:26:32 +0800
Subject: [PATCH] Fix: Check MySQL database name (#5991)

---
 package-lock.json        |  1 +
 package.json             |  1 +
 server/database.js       | 11 ++++++-----
 server/setup-database.js |  2 ++
 4 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index ae62889d5..b3997e257 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -80,6 +80,7 @@
                 "socket.io": "~4.8.0",
                 "socket.io-client": "~4.8.0",
                 "socks-proxy-agent": "~8.0.5",
+                "sqlstring": "~2.3.3",
                 "tar": "~6.2.1",
                 "tcp-ping": "~0.1.1",
                 "thirty-two": "~1.0.2",
diff --git a/package.json b/package.json
index 5dae1cd77..2ab21cac2 100644
--- a/package.json
+++ b/package.json
@@ -138,6 +138,7 @@
         "socket.io": "~4.8.0",
         "socket.io-client": "~4.8.0",
         "socks-proxy-agent": "~8.0.5",
+        "sqlstring": "~2.3.3",
         "tar": "~6.2.1",
         "tcp-ping": "~0.1.1",
         "thirty-two": "~1.0.2",
diff --git a/server/database.js b/server/database.js
index c07797fd1..d22ceb29b 100644
--- a/server/database.js
+++ b/server/database.js
@@ -12,6 +12,7 @@ const { UptimeCalculator } = require("./uptime-calculator");
 const dayjs = require("dayjs");
 const { SimpleMigrationServer } = require("./utils/simple-migration-server");
 const KumaColumnCompiler = require("./utils/knex/lib/dialects/mysql2/schema/mysql2-columncompiler");
+const SqlString = require("sqlstring");
 
 /**
  * Database & App Data Folder
@@ -256,10 +257,6 @@ class Database {
                 }
             };
         } else if (dbConfig.type === "mariadb") {
-            if (!/^\w+$/.test(dbConfig.dbName)) {
-                throw Error("Invalid database name. A database name can only consist of letters, numbers and underscores");
-            }
-
             const connection = await mysql.createConnection({
                 host: dbConfig.hostname,
                 port: dbConfig.port,
@@ -267,7 +264,11 @@ class Database {
                 password: dbConfig.password,
             });
 
-            await connection.execute("CREATE DATABASE IF NOT EXISTS " + dbConfig.dbName + " CHARACTER SET utf8mb4");
+            // Set to true, so for example "uptime.kuma", becomes `uptime.kuma`, not `uptime`.`kuma`
+            // Doc: https://github.com/mysqljs/sqlstring?tab=readme-ov-file#escaping-query-identifiers
+            const escapedDBName = SqlString.escapeId(dbConfig.dbName, true);
+
+            await connection.execute("CREATE DATABASE IF NOT EXISTS " + escapedDBName + " CHARACTER SET utf8mb4");
             connection.end();
 
             config = {
diff --git a/server/setup-database.js b/server/setup-database.js
index 483f2c9a4..248208662 100644
--- a/server/setup-database.js
+++ b/server/setup-database.js
@@ -208,11 +208,13 @@ class SetupDatabase {
 
                     // Test connection
                     try {
+                        log.info("setup-database", "Testing database connection...");
                         const connection = await mysql.createConnection({
                             host: dbConfig.hostname,
                             port: dbConfig.port,
                             user: dbConfig.username,
                             password: dbConfig.password,
+                            database: dbConfig.dbName,
                         });
                         await connection.execute("SELECT 1");
                         connection.end();