Submitting database values via install.php from POST

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Wolf_22
Forum Contributor
Posts: 159
Joined: Fri Dec 26, 2008 9:43 pm

Submitting database values via install.php from POST

Post by Wolf_22 »

I'm trying to create my own install operation that will basically replicate what the Wordpress install does. Of course, I have my own little tidbits and whatnot included into this, so it's a different approach altogether.

My question about what I'm doing so far pertains to the values received from the POST inputs. I'm wanting to initialize the "databaseName", "databaseUsername", "databasePassword", etc. variables as having no values. These values will be set to whatever the administrator sets them to from the install.php file via the POST inputs. Wordpress makes you FTP into the web space to manually edit a config file. What I'm wanting to do is give the administrator the ability to do that operation through the browser.

One problem I'm running into is the following:

Code: Select all

            <fieldset>
                <legend>Database Management</legend>
                <form action="<?php echo ABSPATH;?>backside/inc/constants.php" method="post">
                    <ul>
                        <li><label>Database Name:</label> <input type="text" name="dirty_db_name" /></li>
                        <li><label>Database Username:</label> <input type="text" name="dirty_db_user" /></li>
                        <li><label>Database Password:</label> <input type="text" name="dirty_db_pass" /></li>
                        <li><label>Database Host:</label> <input type="text" name="dirty_db_host" /></li>
                        <li><label>Database Prefix:</label> <input type="text" name="dirty_db_prefix" /></li>
                        <li><label>In Development Mode?:</label> <input type="checkbox" name="tutorial" value="HTML" /></li>
                    </ul>
                    <p><input type="submit" value="Submit" /></p> 
                </form> 
            </fieldset>
From the above, you can see that I'm using POST to do all this. Remember that I'm trying to make the variables in constants.php be initialized as having nothing, but when the admin submits values in the above within install.php, those values will then be sent over to the constants.php to be set as constants.

Is this possible or am I making this way too worse than what it has to be? :?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Submitting database values via install.php from POST

Post by kaisellgren »

You can do that. Just fopen() the file to modify and enter the credentials there. If it's not writable, try chmod()'ing it and if that fails, too, then you can't do this.
Wolf_22
Forum Contributor
Posts: 159
Joined: Fri Dec 26, 2008 9:43 pm

Re: Submitting database values via install.php from POST

Post by Wolf_22 »

Thanks Kai. I'll give that a try tonight and see what happens. I'm assuming that any previous values for any values already given to those variables will simply be overwritten if and when it's used in conjunction with the fopen?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Submitting database values via install.php from POST

Post by kaisellgren »

Well I don't know the exact situation, but hopefully this helps:

config.php

Code: Select all

<?php
 
$dbhost = '...';
$dbname = '...';
$dbuser = '...';
$dbpass = '...';
 
$someotherconfigvalues = '...';
$someotherconfigvalues = '...';
 
?>
Changer.php

Code: Select all

$configdata = file_get_contents('config.php');
$configdata = preg_replace('#\\$dbhost = \'.*?\';#','$dbhost = \''.$dbhost.'\';',$configdata);
...
file_put_contents('config.php',$configdata);
That's from the top of my head, not sure if it works exactly, but something similar should work.

Edit: what the heck, the highlighter is f*ed up? It strips out my slashes *sigh*
Post Reply