diff -r 62ee6685ad18 -r e7bbbb92385b install.php --- a/install.php Thu Nov 15 18:00:39 2007 -0500 +++ b/install.php Thu Nov 15 18:02:14 2007 -0500 @@ -179,15 +179,12 @@ if ( $act_get ) return $conn; - $db_user =& $_POST['db_user']; - $db_pass =& $_POST['db_pass']; - $db_name =& $_POST['db_name']; + $db_user = mysql_real_escape_string($_POST['db_user']); + $db_pass = mysql_real_escape_string($_POST['db_pass']); + $db_name = mysql_real_escape_string($_POST['db_name']); - if ( !preg_match('/^[a-z0-9_-]+$/', $db_name) ) - { - $db_name = htmlspecialchars($db_name); - die("

SECURITY: malformed database name \"$db_name\"

"); - } + if ( !preg_match('/^[a-z0-9_]+$/', $db_name) ) + die("

SECURITY: malformed database name

"); // First, try to connect using the normal credentials $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); @@ -202,9 +199,6 @@ // Couldn't connect using either set of credentials. Bail out. return false; } - unset($db_user, $db_pass); - $db_user = mysql_real_escape_string($_POST['db_user']); - $db_pass = mysql_real_escape_string($_POST['db_pass']); // Create the user account $q = @mysql_query("GRANT ALL PRIVILEGES ON test.* TO '{$db_user}'@'localhost' IDENTIFIED BY '$db_pass' WITH GRANT OPTION;", $conn_root); if ( !$q ) @@ -233,16 +227,9 @@ return false; } } - mysql_close($conn_root); - $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); - if ( !$conn ) - { - // This should honestly never happen. - return false; - } } } - $q = @mysql_query("USE `$db_name`;", $conn); + $q = @mysql_query("USE $db_name;", $conn); if ( !$q ) { // access denied to the database; try the whole root schenanegan again @@ -255,44 +242,33 @@ return false; } // create the database, if it doesn't exist - $q = @mysql_query("CREATE DATABASE IF NOT EXISTS `$db_name`;", $conn_root); + $q = @mysql_query("CREATE DATABASE IF NOT EXISTS $db_name;", $conn_root); if ( !$q ) { // this really should never fail, so don't give any tolerance to it return false; } - unset($db_user, $db_pass); - $db_user = mysql_real_escape_string($_POST['db_user']); - $db_pass = mysql_real_escape_string($_POST['db_pass']); // we're in with root rights; grant access to the database - $q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'localhost';", $conn_root); + $q = @mysql_query("GRANT ALL PRIVILEGES ON $db_name.* TO '{$db_user}'@'localhost';", $conn_root); if ( !$q ) { return false; } if ( $_POST['db_host'] != 'localhost' && $_POST['db_host'] != '127.0.0.1' && $_POST['db_host'] != '::1' ) { - $q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'%';", $conn_root); + $q = @mysql_query("GRANT ALL PRIVILEGES ON $db_name.* TO '{$db_user}'@'%';", $conn_root); if ( !$q ) { return false; } } - mysql_close($conn_root); - // grant tables have hopefully been flushed, kill and reconnect our regular user connection - mysql_close($conn); - $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); - if ( !$conn ) - { - return false; - } } else { return false; } // try again - $q = @mysql_query("USE `$db_name`;", $conn); + $q = @mysql_query("USE $db_name;", $conn); if ( !$q ) { // really failed this time; bail out @@ -694,7 +670,7 @@ die('root'.$e); } $rsp = 'good'; - $q = mysql_query('USE '.$dbname, $conn); + $q = mysql_query('USE `' . mysql_real_escape_string($dbname) . '`;', $conn); if(!$q) { $e = mysql_error(); @@ -727,7 +703,7 @@ else die('auth'.$e); } - $q = mysql_query('USE '.$dbname, $conn); + $q = mysql_query('USE `' . mysql_real_escape_string($dbname) . '`;', $conn); if(!$q) { $e = mysql_error(); @@ -949,7 +925,7 @@ '; - run_test('return false;', 'Some of the features of Enano have been turned off to accommodate your server.', 'Enano has detected that some of the features or configuration settings on your server are not optimal for the best behavior and/or performance for Enano. As a result, certain features or enhancements that are part of Enano have been disabled to prevent further errors. You have seen those "fatal error" notices that spew from PHP, haven\'t you?

Fatal error: call to undefined function wannahockaloogie() in file '.__FILE__.' on line '.__LINE__.'', true); + run_test('return false;', 'Some scalebacks were made due to your server configuration.', 'Enano has detected that some of the features or configuration settings on your server are not optimal for the best behavior and/or performance for Enano. As a result, certain features or enhancements that are part of Enano have been disabled to prevent further errors. You have seen those "fatal error" notices that spew from PHP, haven\'t you?

Fatal error: call to undefined function wannahokaloogie() in file '.__FILE__.' on line '.__LINE__.'', true); echo ''; } else { echo ''; @@ -960,7 +936,7 @@

- +

Before clicking continue:
• Review the list above to ensure that you are satisfied with any of Enano's workarounds for your server. If you need a particular feature and that feature is listed as disabled above, you should take the opportunity now to correct the problem.
• Have your database host, name, username, and password available
Before clicking continue:
• Ensure that you are satisfied with any scalebacks that may have been made to accomodate your server configuration
• Have your database host, name, username, and password available

@@ -1125,7 +1101,7 @@ document.getElementById('s_db_host').src='images/bad.gif'; ret = false; } - if(frm.db_name.value.match(/^([a-z0-9_-]+)$/g)) + if(frm.db_name.value.match(/^([a-z0-9_]+)$/g)) { document.getElementById('s_db_name').src='images/unknown.gif'; } @@ -1178,144 +1154,33 @@ If you need to modify MySQL and then distribute your modifications, you must either distribute them under the terms of the GPL or purchase a proprietary license.
MySQL login information for this virtual appliance:

Database hostname: localhost
Database login: username "enano", password: "clurichaun" (without quotes)
Database name: enano_www1
'; } ?>
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + +
-
Database information
-
- Database hostname -
This is the hostname (or sometimes the IP address) of your MySQL server. In many cases, this is "localhost". -
- - - - -
- Database name
- The name of the actual database. If you don't already have a database, you can create one here, if you have the username and password - of a MySQL user with administrative rights.
- - - - - -
- Database login
- These fields should be the username and password of a user with "select", "insert", "update", "delete", "create table", and "replace" - privileges for your database.
- - - - - -
- -
-
Optional information
-
- Table prefix
- The value that you enter here will be added to the beginning of the name of each Enano table. You may use lowercase letters (a-z), - numbers (0-9), and underscores (_). - - - - -
- Database administrative login
- If the MySQL database or username that you entered above does not exist yet, you can create them here, assuming that you have the - login information for an administrative user (such as root). Leave these fields blank unless you need to use them.
- - - - - -
- -
- MySQL version - - MySQL version information will be checked when you click "Test Connection". - - -
- Delete existing tables?
- If this option is checked, all the tables that will be used by Enano will be dropped (deleted) before the schema is executed. Do - NOT use this option unless specifically instructed to. - - Drop existing tables -
- -
Database information
Database hostname
This is the hostname (or sometimes the IP address) of your MySQL server. In many cases, this is "localhost".
Database name
The name of the actual database. If you don't already have a database, you can create one here, if you have the username and password of a MySQL user with administrative rights.
Database login
These fields should be the username and password of a user with "select", "insert", "update", "delete", "create table", and "replace" privileges for your database.
Optional information
Table prefix
The value that you enter here will be added to the beginning of the name of each Enano table. You may use lowercase letters (a-z), numbers (0-9), and underscores (_).
Database administrative login
If the MySQL database or username that you entered above does not exist yet, you can create them here, assuming that you have the login information for an administrative user (such as root). Leave these fields blank unless you need to use them.
MySQL version MySQL version information will be checked when you click "Test Connection".
Delete existing tables?
If this option is checked, all the tables that will be used by Enano will be dropped (deleted) before the schema is executed. Do NOT use this option unless specifically instructed to. Drop existing tables

- - - - - -
- - -
- Before continuing:
- • Check your MySQL connection using the "Test Connection" button.
- • Be aware that your database information will be transmitted unencrypted several times. -
-
-
+ + + + +
Before clicking continue:
• Check your MySQL connection using the "Test Connection" button.
• Be aware that your database information will be transmitted unencrypted several times.
+

The next step is to enter some information about your website. You can always change this information later, using the administration panel.
- - - - - - - - - - - - - - - - - - - - - - - - + + + + +
- Website name
- The display name of your website. Allowed characters are uppercase and lowercase letters, numerals, and spaces. This must not - be blank or "Enano". - - - - -
- Website description
- This text will be shown below the name of your website. - - - - -
- Copyright info
- This should be a one-line legal notice that will appear at the bottom of all your pages. - - - - -
- Wiki mode
- This feature allows people to create and edit pages on your site. Enano keeps a history of all page modifications, and you can - protect pages to prevent editing. - - Yes, make my website a wiki. - - -
- URL scheme
- Choose how the page URLs will look. Depending on your server configuration, you may need to select the first option. If you - don't know, select the first option, and you can always change it later. - - name="urlscheme" value="ugly" id="ugly" /> Standard URLs - compatible with any web server (www.example.com/index.php?title=Page_name)
- name="urlscheme" value="short" id="short" /> Short URLs - requires Apache with a PHP module (www.example.com/index.php/Page_name)
- Tiny URLs - requires Apache on Linux/Unix/BSD with PHP module and mod_rewrite enabled (www.example.com/Page_name) -
Website name
The display name of your website. Allowed characters are uppercase and lowercase letters, numerals, and spaces. This must not be blank or "Enano".
Website description
This text will be shown below the name of your website.
Copyright info
This should be a one-line legal notice that will appear at the bottom of all your pages.
Wiki mode
This feature allows people to create and edit pages on your site. Enano keeps a history of all page modifications, and you can protect pages to prevent editing. Yes, make my website a wiki.
URL scheme
Choose how the page URLs will look. Depending on your server configuration, you may need to select the first option. If you don't know, select the first option, and you can always change it later. name="urlscheme" value="ugly" id="ugly"> Standard URLs - compatible with any web server (www.example.com/index.php?title=Page_name)
name="urlscheme" value="short" id="short"> Short URLs - requires Apache with a PHP module (www.example.com/index.php/Page_name)
Tiny URLs - requires Apache on Linux/Unix/BSD with PHP module and mod_rewrite enabled (www.example.com/Page_name)

- - - - + + +
- - -
- Before clicking continue:
- • Verify that your site information is correct. Again, all of the above settings can be changed from the administration - panel. -
-
Before clicking continue:
• Verify that your site information is correct. Again, all of the above settings can be changed from the administration panel.

@@ -1538,23 +1337,10 @@ ?>
Next, enter your desired username and password. The account you create here will be used to administer your site.
- - - - - - - - - - - - - - - - - + + + +
Administration username
The administration username you will use to log into your site.
This cannot be "anonymous" or in the form of an IP address.
Administration password:
Enter it again to confirm:
Your e-mail address:
Administration username
The administration username you will use to log into your site.
This cannot be "anonymous" or in the form of an IP address.
Administration password:
Enter it again to confirm:
Your e-mail address:

Allow administrators to embed PHP code into pages:
@@ -1574,24 +1360,15 @@

- - - - + + +
- - -
- Before clicking continue:
- • Remember the username and password you enter here! You will not be able to administer your site without the - information you enter on this page. -
-
Before clicking continue:
• Remember the username and password you enter here! You will not be able to administer your site without the information you enter on this page.

- - - + + +

- Database information -
- Database hostname - This is the hostname (or sometimes the IP address) of your MySQL server. In many cases, this is "localhost". - -	- -	- -
- Database name - The name of the actual database. If you don't already have a database, you can create one here, if you have the username and password - of a MySQL user with administrative rights. - -	- -	- -
- Database login - These fields should be the username and password of a user with "select", "insert", "update", "delete", "create table", and "replace" - privileges for your database. - -	- -	- -
	- -	- -
- Optional information -
- Table prefix - The value that you enter here will be added to the beginning of the name of each Enano table. You may use lowercase letters (a-z), - numbers (0-9), and underscores (_). -	- -	- -
- Database administrative login - If the MySQL database or username that you entered above does not exist yet, you can create them here, assuming that you have the - login information for an administrative user (such as root). Leave these fields blank unless you need to use them. - -	- -	- -
	- -	- -
- MySQL version -	- MySQL version information will be checked when you click "Test Connection". -	- -
- Delete existing tables? - If this option is checked, all the tables that will be used by Enano will be dropped (deleted) before the schema is executed. Do - NOT use this option unless specifically instructed to. -	- Drop existing tables -
- -
Database information
Database hostname This is the hostname (or sometimes the IP address) of your MySQL server. In many cases, this is "localhost".
Database name The name of the actual database. If you don't already have a database, you can create one here, if you have the username and password of a MySQL user with administrative rights.
Database login These fields should be the username and password of a user with "select", "insert", "update", "delete", "create table", and "replace" privileges for your database.

Optional information
Table prefix The value that you enter here will be added to the beginning of the name of each Enano table. You may use lowercase letters (a-z), numbers (0-9), and underscores (_).
Database administrative login If the MySQL database or username that you entered above does not exist yet, you can create them here, assuming that you have the login information for an administrative user (such as root). Leave these fields blank unless you need to use them.

MySQL version	MySQL version information will be checked when you click "Test Connection".
Delete existing tables? If this option is checked, all the tables that will be used by Enano will be dropped (deleted) before the schema is executed. Do NOT use this option unless specifically instructed to.	Drop existing tables

- Website name - The display name of your website. Allowed characters are uppercase and lowercase letters, numerals, and spaces. This must not - be blank or "Enano". -	- -	- -
- Website description - This text will be shown below the name of your website. -	- -	- -
- Copyright info - This should be a one-line legal notice that will appear at the bottom of all your pages. -	- -	- -
- Wiki mode - This feature allows people to create and edit pages on your site. Enano keeps a history of all page modifications, and you can - protect pages to prevent editing. -	- Yes, make my website a wiki. -	- -
- URL scheme - Choose how the page URLs will look. Depending on your server configuration, you may need to select the first option. If you - don't know, select the first option, and you can always change it later. -	- name="urlscheme" value="ugly" id="ugly" /> Standard URLs - compatible with any web server (www.example.com/index.php?title=Page_name) - name="urlscheme" value="short" id="short" /> Short URLs - requires Apache with a PHP module (www.example.com/index.php/Page_name) - Tiny URLs - requires Apache on Linux/Unix/BSD with PHP module and mod_rewrite enabled (www.example.com/Page_name) -
Website name The display name of your website. Allowed characters are uppercase and lowercase letters, numerals, and spaces. This must not be blank or "Enano".
Website description This text will be shown below the name of your website.
Copyright info This should be a one-line legal notice that will appear at the bottom of all your pages.
Wiki mode This feature allows people to create and edit pages on your site. Enano keeps a history of all page modifications, and you can protect pages to prevent editing.	Yes, make my website a wiki.
URL scheme Choose how the page URLs will look. Depending on your server configuration, you may need to select the first option. If you don't know, select the first option, and you can always change it later.	name="urlscheme" value="ugly" id="ugly"> Standard URLs - compatible with any web server (www.example.com/index.php?title=Page_name) name="urlscheme" value="short" id="short"> Short URLs - requires Apache with a PHP module (www.example.com/index.php/Page_name) Tiny URLs - requires Apache on Linux/Unix/BSD with PHP module and mod_rewrite enabled (www.example.com/Page_name)

- -	- - Before clicking continue: - • Verify that your site information is correct. Again, all of the above settings can be changed from the administration - panel. - -
	Before clicking continue: • Verify that your site information is correct. Again, all of the above settings can be changed from the administration panel.

Administration username The administration username you will use to log into your site. This cannot be "anonymous" or in the form of an IP address.
Administration password:
Enter it again to confirm:
Your e-mail address:
Administration username The administration username you will use to log into your site. This cannot be "anonymous" or in the form of an IP address.
Administration password:
Enter it again to confirm:
Your e-mail address:
Allow administrators to embed PHP code into pages: @@ -1574,24 +1360,15 @@

- -	- - Before clicking continue: - • Remember the username and password you enter here! You will not be able to administer your site without the - information you enter on this page. - -
	Before clicking continue: • Remember the username and password you enter here! You will not be able to administer your site without the information you enter on this page.