Ticket #147 (closed defect: fixed)
_install.php can write invalid php code for plog-config.php (problem in create_config_file)
| Reported by: | mark81@… | Owned by: | sidtheduck |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | Install | Version: | |
| Severity: | minor | Keywords: | |
| Cc: |
Description
If one of the database settings inputted in the _install.php form includes php markup with characters that need to be escaped the '$' character for instance, plog-config.php gets written with invalid characters.
I found that even after manually changing the characters, none of my database tables had been created, and I had to delete the plog-config.php file and then rerun _install.php for a successful configuration.
Using database user password with a '$' character will replicate this behaviour in _install.php.
Workaround:
I modified the create_config_file function lib/plogger/install_functions.php to use single quotes, allowing me to have '$' characters in my database password. function create_config_file($db_host,$db_user,$db_pass,$db_name) {
$cfg_file = "<?php\n"; $cfg_file .= '// this is the file used to connect to your database.'."\n"; $cfg_file .= '// you must change these values in order to run the gallery.'."\n";
// THESE 4 lines are what I changed $cfg_file .= "define(\"PLOGGER_DB_HOST\",'".$db_host."');\n"; $cfg_file .= "define(\"PLOGGER_DB_USER\",'".$db_user."');\n"; $cfg_file .= "define(\"PLOGGER_DB_PW\",'".$db_pass."');\n"; $cfg_file .= "define(\"PLOGGER_DB_NAME\",'".$db_name."');\n";
$cfg_file .= "?>\n"; return $cfg_file;
}
Note though that this is still not an ideal since it is a potential security hole (I could insert php code here). Not that the security hole part is too big of a deal (since it's the install script) but if there is a php escape function that I don't know about, it would be perfect to use here.
