Project

General

Profile

« Previous | Next » 

Revision 1885

Added by Dietmar over 11 years ago

  1. protect magic setter to fix security issue in WbDatabase
    + additional arguments for Charset and TablePrefix in WbDatabase::doConnect
    + WbDatabase now can activate SET NAMES by doConnect argument
    + WbDatabase now provide TablePrefix property also (WbDatabase::TablePrefix)
    + initialize.php now also support Charset and TablePrefix settings from setup.ini.php
    ! in setup.ini.php some keys are renamed (WB_URL => AppUrl and ADMIN_DIRECTORY => AcpDir)

View differences:

save.php
93 93
		if(is_readable($sSetupFile)) {
94 94
			$aCfg = parse_ini_file($sSetupFile, true);
95 95
			foreach($aCfg['Constants'] as $key=>$value) {
96
				if($key == 'debug') { $value = filter_var($value, FILTER_VALIDATE_BOOLEAN); }
97
				if(!defined(strtoupper($key))) { define(strtoupper($key), $value); }
96
				switch($key):
97
					case 'DEBUG':
98
						$value = filter_var($value, FILTER_VALIDATE_BOOLEAN);
99
						break;
100
					case 'WB_URL':
101
					case 'AppUrl':
102
						$value = trim(str_replace('\\', '/', $value), '/'); 
103
						if(!defined('WB_URL')) { define('WB_URL', $value); }
104
						break;
105
					case 'ADMIN_DIRECTORY':
106
					case 'AcpDir':
107
						$value = trim(str_replace('\\', '/', $value), '/'); 
108
						if(!defined('ADMIN_DIRECTORY')) { define('ADMIN_DIRECTORY', $value); }
109
						break;
110
					default:
111
						if(!defined($key)) { define($key, $value); }
112
						break;
113
				endswitch;
98 114
			}
99 115
			$db = $aCfg['DataBase'];
100 116
			$db['type'] = isset($db['type']) ? $db['type'] : 'mysql';
......
114 130
				$aRetval[2] = array( 'user' => $db['user'], 'pass' => $db['pass']);
115 131
			}else { // $sRetvalType == 'url'
116 132
				$aRetval[0] = $db['type'].'://'.$db['user'].':'.$db['pass'].'@'
117
				            . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name'];
133
				            . $db['host'].($db['port'] != '' ? ':'.$db['port'] : '').'/'.$db['name']
134
				            . '?Charset='.$db['charset'].'&TablePrefix='.$db['table_prefix'];
118 135
			}
119 136
			unset($db, $aCfg);
120 137
			return $aRetval;
......
243 260
	$wb_url = $_POST['wb_url'];
244 261
}
245 262
// Remove any slashes at the end of the URL
246
$wb_url = rtrim($wb_url,'/\\');
263
$wb_url = trim(str_replace('\\', '/', $wb_url), '/').'/';
247 264
// Get the default time zone
248 265
if(!isset($_POST['default_timezone']) OR !is_numeric($_POST['default_timezone'])) {
249 266
	set_error('Please select a valid default timezone', 'default_timezone');
......
378 395
."; auto generated ".date('Y-m-d h:i:s A e ')."\n"
379 396
.";################################################\n"
380 397
."[Constants]\n"
381
."debug     = false\n"
382
."wb_url    = ".$wb_url."\n"
383
."admin_directory = admin\n"
398
."DEBUG   = false\n"
399
."AppUrl  = ".$wb_url."\n"
400
."AcpDir  = admin/\n"
384 401
.";##########\n"
385 402
."[DataBase]\n"
386 403
."type    = \"mysql\"\n"
......
427 444
	}else {
428 445
		$bTmp = @$database->doConnect($aSqlData[0], TABLE_PREFIX);
429 446
	}
430
} catch (RuntimeException $e) {
447
} catch (WbDatabaseException $e) {
431 448
	if(!file_put_contents($sConfigFile,"<?php\n")) {
432 449
		set_error("Cannot write to the configuration file ($sSetupFile)");
433 450
	}

Also available in: Unified diff