Enano CMS (1.1.x): comparison install.php

equal deleted inserted replaced

-:c9fd175289aa
+:acb9d021b860
 {
 static $conn = false;
 if ( $act_get )
 return $conn;
-$db_user = mysql_real_escape_string($_POST['db_user']);
+$db_user =& $_POST['db_user'];
-$db_pass = mysql_real_escape_string($_POST['db_pass']);
+$db_pass =& $_POST['db_pass'];
-$db_name = mysql_real_escape_string($_POST['db_name']);
+$db_name =& $_POST['db_name'];
-if ( !preg_match('/^[a-z0-9_]+$/', $db_name) )
+if ( !preg_match('/^[a-z0-9_-]+$/', $db_name) )
-die("<p>SECURITY: malformed database name</p>");
+{
+$db_name = htmlspecialchars($db_name);
+die("<p>SECURITY: malformed database name \"$db_name\"</p>");
+}
 // First, try to connect using the normal credentials
 $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']);
 if ( !$conn )
 {
 if ( !$conn_root )
 {
 // Couldn't connect using either set of credentials. Bail out.
 return false;
 }
+unset($db_user, $db_pass);
+$db_user = mysql_real_escape_string($_POST['db_user']);
+$db_pass = mysql_real_escape_string($_POST['db_pass']);
 // Create the user account
 $q = @mysql_query("GRANT ALL PRIVILEGES ON test.* TO '{$db_user}'@'localhost' IDENTIFIED BY '$db_pass' WITH GRANT OPTION;", $conn_root);
 if ( !$q )
 {
 return false;
 if ( !$q )
 {
 return false;
 }
 }
-}
+mysql_close($conn_root);
-}
+$conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']);
-$q = @mysql_query("USE $db_name;", $conn);
+if ( !$conn )
+{
+// This should honestly never happen.
+return false;
+}
+}
+}
+$q = @mysql_query("USE `$db_name`;", $conn);
 if ( !$q )
 {
 // access denied to the database; try the whole root schenanegan again
 if ( !empty($_POST['db_root_user']) && !empty($_POST['db_root_pass']) )
 {
 {
 // Couldn't connect as root; bail out
 return false;
 }
 // create the database, if it doesn't exist
-$q = @mysql_query("CREATE DATABASE IF NOT EXISTS $db_name;", $conn_root);
+$q = @mysql_query("CREATE DATABASE IF NOT EXISTS `$db_name`;", $conn_root);
 if ( !$q )
 {
 // this really should never fail, so don't give any tolerance to it
 return false;
 }
+unset($db_user, $db_pass);
+$db_user = mysql_real_escape_string($_POST['db_user']);
+$db_pass = mysql_real_escape_string($_POST['db_pass']);
 // we're in with root rights; grant access to the database
-$q = @mysql_query("GRANT ALL PRIVILEGES ON $db_name.* TO '{$db_user}'@'localhost';", $conn_root);
+$q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'localhost';", $conn_root);
 if ( !$q )
 {
 return false;
 }
 if ( $_POST['db_host'] != 'localhost' && $_POST['db_host'] != '127.0.0.1' && $_POST['db_host'] != '::1' )
 {
-$q = @mysql_query("GRANT ALL PRIVILEGES ON $db_name.* TO '{$db_user}'@'%';", $conn_root);
+$q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'%';", $conn_root);
 if ( !$q )
 {
 return false;
 }
 }
+mysql_close($conn_root);
+// grant tables have hopefully been flushed, kill and reconnect our regular user connection
+mysql_close($conn);
+$conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']);
+if ( !$conn )
+{
+return false;
+}
 }
 else
 {
 return false;
 }
 // try again
-$q = @mysql_query("USE $db_name;", $conn);
+$q = @mysql_query("USE `$db_name`;", $conn);
 if ( !$q )
 {
 // really failed this time; bail out
 return false;
 }
 else
 {
 document.getElementById('s_db_host').src='images/bad.gif';
 ret = false;
 }
-if(frm.db_name.value.match(/^([a-z0-9_]+)$/g))
+if(frm.db_name.value.match(/^([a-z0-9_-]+)$/g))
 {
 document.getElementById('s_db_name').src='images/unknown.gif';
 }
 else
 {
 echo '<input type="hidden" name="'.htmlspecialchars($k[$i]).'" value="'.htmlspecialchars($_POST[$k[$i]]).'" />'."\n";
 }
 ?>
 <p>The next step is to enter some information about your website. You can always change this information later, using the administration panel.</p>
 <table border="0">
-<tr><td><b>Website name</b><br />The display name of your website. Allowed characters are uppercase and lowercase letters, numerals, and spaces. This must not be blank or "Enano".</td><td><input onkeyup="verify();" name="sitename" type="text" size="30" /></td><td><img id="s_name" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
+<tr>
-<tr><td><b>Website description</b><br />This text will be shown below the name of your website.</td><td><input onkeyup="verify();" name="sitedesc" type="text" size="30" /></td><td><img id="s_desc" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
+<td>
-<tr><td><b>Copyright info</b><br />This should be a one-line legal notice that will appear at the bottom of all your pages.</td><td><input onkeyup="verify();" name="copyright" type="text" size="30" /></td><td><img id="s_copyright" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
+<b>Website name</b><br />
-<tr><td><b>Wiki mode</b><br />This feature allows people to create and edit pages on your site. Enano keeps a history of all page modifications, and you can protect pages to prevent editing.</td><td><input name="wiki_mode" type="checkbox" id="wmcheck" />  <label for="wmcheck">Yes, make my website a wiki.</label></td><td></td></tr>
+The display name of your website. Allowed characters are uppercase and lowercase letters, numerals, and spaces. This must not
-<tr><td><b>URL scheme</b><br />Choose how the page URLs will look. Depending on your server configuration, you may need to select the first option. If you don't know, select the first option, and you can always change it later.</td><td colspan="2"><input type="radio" <?php if(!is_apache()) echo 'checked="checked" '; ?>name="urlscheme" value="ugly" id="ugly">  <label for="ugly">Standard URLs - compatible with any web server (www.example.com/index.php?title=Page_name)</label><br /><input type="radio" <?php if(is_apache()) echo 'checked="checked" '; ?>name="urlscheme" value="short" id="short">  <label for="short">Short URLs - requires Apache with a PHP module (www.example.com/index.php/Page_name)</label><br /><input type="radio" name="urlscheme" value="tiny" id="petite">  <label for="petite">Tiny URLs - requires Apache on Linux/Unix/BSD with PHP module and mod_rewrite enabled (www.example.com/Page_name)</label></td></tr>
+be blank or "Enano".
+</td>
+<td>
+<input onkeyup="verify();" name="sitename" type="text" size="30" />
+</td>
+<td>
+<img id="s_name" alt="Good/bad icon" src="images/bad.gif" />
+</td>
+</tr>
+<tr>
+<td>
+<b>Website description</b><br />
+This text will be shown below the name of your website.
+</td>
+<td>
+<input onkeyup="verify();" name="sitedesc" type="text" size="30" />
+</td>
+<td>
+<img id="s_desc" alt="Good/bad icon" src="images/bad.gif" />
+</td>
+</tr>
+<tr>
+<td>
+<b>Copyright info</b><br />
+This should be a one-line legal notice that will appear at the bottom of all your pages.
+</td>
+<td>
+<input onkeyup="verify();" name="copyright" type="text" size="30" />
+</td>
+<td>
+<img id="s_copyright" alt="Good/bad icon" src="images/bad.gif" />
+</td>
+</tr>
+<tr>
+<td>
+<b>Wiki mode</b><br />
+This feature allows people to create and edit pages on your site. Enano keeps a history of all page modifications, and you can
+protect pages to prevent editing.
+</td>
+<td>
+<input name="wiki_mode" type="checkbox" id="wmcheck" />  <label for="wmcheck">Yes, make my website a wiki.</label>
+</td>
+<td>
+&nbsp;
+</td>
+</tr>
+<tr>
+<td>
+<b>URL scheme</b><br />
+Choose how the page URLs will look. Depending on your server configuration, you may need to select the first option. If you
+don't know, select the first option, and you can always change it later.
+</td>
+<td colspan="2">
+<input type="radio" <?php if(!is_apache()) echo 'checked="checked" '; ?>name="urlscheme" value="ugly" id="ugly"  />  <label for="ugly">Standard URLs - compatible with any web server (www.example.com/index.php?title=Page_name)</label><br />
+<input type="radio" <?php if(is_apache()) echo 'checked="checked" '; ?>name="urlscheme" value="short" id="short" />  <label for="short">Short URLs - requires Apache with a PHP module (www.example.com/index.php/Page_name)</label><br />
+<input type="radio" name="urlscheme" value="tiny" id="petite">  <label for="petite">Tiny URLs - requires Apache on Linux/Unix/BSD with PHP module and mod_rewrite enabled (www.example.com/Page_name)</label>
+</td>
+</tr>
 </table>
 <div class="pagenav">
 <table border="0">
 <tr>
-<td><input type="submit" value="Continue" onclick="return verify();" name="_cont" /></td><td><p><span style="font-weight: bold;">Before clicking continue:</span><br />&bull; Verify that your site information is correct. Again, all of the above settings can be changed from the administration panel.</p></td>
+<td>
-</tr>
+<input type="submit" value="Continue" onclick="return verify();" name="_cont" />
+</td>
+<td>
+<p>
+<span style="font-weight: bold;">Before clicking continue:</span><br />
+&bull; Verify that your site information is correct. Again, all of the above settings can be changed from the administration
+panel.
+</p>
+</td>
+</tr>
 </table>
 </div>
 </form>
 <?php
 break;
 echo '<input type="hidden" name="'.htmlspecialchars($k[$i]).'" value="'.htmlspecialchars($_POST[$k[$i]]).'" />'."\n";
 }
 ?>
 <p>Next, enter your desired username and password. The account you create here will be used to administer your site.</p>
 <table border="0">
-<tr><td><b>Administration username</b><br /><small>The administration username you will use to log into your site.<br />This cannot be "anonymous" or in the form of an IP address.</small></td><td><input onkeyup="verify();" name="admin_user" type="text" size="30" /></td><td><img id="s_user" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
+<tr>
-<tr><td>Administration password:</td><td><input onkeyup="verify();" name="admin_pass" type="password" size="30" /></td><td rowspan="2"><img id="s_password" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
+<td><b>Administration username</b><br /><small>The administration username you will use to log into your site.<br />This cannot be "anonymous" or in the form of an IP address.</small></td><td><input onkeyup="verify();" name="admin_user" type="text" size="30" /></td><td><img id="s_user" alt="Good/bad icon" src="images/bad.gif" /></td>
-<tr><td>Enter it again to confirm:</td><td><input onkeyup="verify();" name="admin_pass_confirm" type="password" size="30" /></td></tr>
+</tr>
-<tr><td>Your e-mail address:</td><td><input onkeyup="verify();" name="admin_email" type="text" size="30" /></td><td><img id="s_email" alt="Good/bad icon" src="images/bad.gif" /></td></tr>
+<tr>
+<td>Administration password:</td>
+<td><input onkeyup="verify();" name="admin_pass" type="password" size="30" /></td>
+<td rowspan="2"><img id="s_password" alt="Good/bad icon" src="images/bad.gif" /></td>
+</tr>
+<tr>
+<td>Enter it again to confirm:</td>
+<td><input onkeyup="verify();" name="admin_pass_confirm" type="password" size="30" /></td>
+</tr>
+<tr>
+<td>Your e-mail address:</td>
+<td><input onkeyup="verify();" name="admin_email" type="text" size="30" /></td>
+<td><img id="s_email" alt="Good/bad icon" src="images/bad.gif" /></td>
+</tr>
 <tr>
 <td>
 Allow administrators to embed PHP code into pages:<br />
 <small><span style="color: #D84308">Do not under any circumstances enable this option without reading these
 <a href="install.php?mode=pophelp&amp;topic=admin_embed_php"
 </tr>
 <tr><td colspan="3">If your browser supports Javascript, the password you enter here will be encrypted with AES before it is sent to the server.</td></tr>
 </table>
 <div class="pagenav">
 <table border="0">
 <tr>
-<td><input type="submit" value="Continue" onclick="return cryptdata();" name="_cont" /></td><td><p><span style="font-weight: bold;">Before clicking continue:</span><br />&bull; Remember the username and password you enter here! You will not be able to administer your site without the information you enter on this page.</p></td>
+<td>
-</tr>
+<input type="submit" value="Continue" onclick="return cryptdata();" name="_cont" />
+</td>
+<td>
+<p>
+<span style="font-weight: bold;">Before clicking continue:</span><br />
+&bull; Remember the username and password you enter here! You will not be able to administer your site without the
+information you enter on this page.
+</p>
+</td>
+</tr>
 </table>
 </div>
 <div id="cryptdebug"></div>
 <input type="hidden" name="use_crypt" value="no" />
 <input type="hidden" name="crypt_key" value="<?php echo $cryptkey; ?>" />
 <input type="hidden" name="crypt_data" value="" />
 </form>
 <script type="text/javascript">
 // <![CDATA[
 var frm = document.forms.login;
 frm.admin_user.focus();

changeset 250	acb9d021b860
parent 246	c9fd175289aa
child 251	275c70f80137
child 256	62ee6685ad18