PDA

View Full Version : Installation MySQL Strong Password Bug and Solution

cilynx
May 21st, 2006, 05:25 PM
I use strong passwords (things with weird characters) and when going to do the install, I ran into some issues:

The install looked good, then failed claiming missing tables when it tried to run. I checked out the MySQL database by hand and indeed, the tables were never created. I actively remembered seeing "Success" on the install page, so I dug into the code. The problem is two-fold:

1) In the exec call to insert the tables, the username and password are not quoted. This leaves many annoyances, not to mention gaping security holes, when a complex password is entered. In my case, the password I was using had a ';' in it. That was enough to kill the command. I blew away the install and tried again, editing install2.php this time to have the u/p quoted and it worked fine.

2) "Success". Looking at the code, there is no check for success before printing such on the display. It's not too hard to check if a table exists. Good form would do so before telling your user that it's definitely there.

----------

On a different note, I think this product is a beautiful idea and I hope it goes far.
TTT_travis
May 22nd, 2006, 12:07 AM
I use strong passwords (things with weird characters) and when going to do the install, I ran into some issues:

The install looked good, then failed claiming missing tables when it tried to run. I checked out the MySQL database by hand and indeed, the tables were never created. I actively remembered seeing "Success" on the install page, so I dug into the code. The problem is two-fold:

1) In the exec call to insert the tables, the username and password are not quoted. This leaves many annoyances, not to mention gaping security holes, when a complex password is entered. In my case, the password I was using had a ';' in it. That was enough to kill the command. I blew away the install and tried again, editing install2.php this time to have the u/p quoted and it worked fine.

2) "Success". Looking at the code, there is no check for success before printing such on the display. It's not too hard to check if a table exists. Good form would do so before telling your user that it's definitely there.

----------

On a different note, I think this product is a beautiful idea and I hope it goes far.

Yes, sorry I need to use the escapeshell functions yet and I need to make the successes actually check, I have fixed most of these already actually the installer was kinda half-as... because of my lack of 1337 php skillz ;)

Travis