Details
-
Type:
Bug
-
Status: Done/Fixed
-
Priority:
Critical
-
Resolution: Fixed/Completed
-
Affects Version/s: 4.6.3
-
Component/s: Core CiviCRM
-
Security Level: Security - Published
-
Labels:None
-
Documentation Required?:None
-
Funding Source:Contributed Code
Description
Pradeep, would you ensure that the $dbname contains only characters in [0-9,a-z,A-Z_], and does not consist of only [0-9] using a new test called requireValidDBName. Use the following:
array(
ts("MySQL %1 Configuration", array(1 => $dbName)),
ts("Is the provided database name valid?"),
ts("The database name provided is not valid. Please use only 0-9, a-z, A-Z and _ as characters in the name."),
)
I think a good place to put this validation test in 4.6 is just before https://github.com/civicrm/civicrm-core/blob/master/install/index.php#L383 . Note that if it fails we should prevent it from running
https://github.com/civicrm/civicrm-core/blob/master/install/index.php#L1126.
Please modify that line and https://github.com/civicrm/civicrm-core/blob/master/install/index.php#L1259
so they use the following safe approach:
$query = sprintf("CREATE DATABASE %s",
mysql_real_escape_string($database));
Then replace
@mysql_query("CREATE DATABASE $database")
with
@mysql_query($query)
Please backport fix to 4.4 as well.
