diff options
Diffstat (limited to 'install/index.php')
-rw-r--r--[-rwxr-xr-x] | install/index.php | 104 |
1 files changed, 45 insertions, 59 deletions
diff --git a/install/index.php b/install/index.php index e4728fa73..6ff8acfbc 100755..100644 --- a/install/index.php +++ b/install/index.php @@ -10,7 +10,7 @@ function javascript_tag($filename) { $query = ""; - if (!(strpos($filename, "?") === FALSE)) { + if (!(strpos($filename, "?") === false)) { $query = substr($filename, strpos($filename, "?")+1); $filename = substr($filename, 0, strpos($filename, "?")); } @@ -151,35 +151,21 @@ function make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS, $DB_PORT, $SELF_URL_PATH) { - $data = explode("\n", file_get_contents("../config.php-dist")); - - $rv = ""; - - $finished = false; - - foreach ($data as $line) { - if (preg_match("/define\('DB_TYPE'/", $line)) { - $rv .= "\tdefine('DB_TYPE', '$DB_TYPE');\n"; - } else if (preg_match("/define\('DB_HOST'/", $line)) { - $rv .= "\tdefine('DB_HOST', '$DB_HOST');\n"; - } else if (preg_match("/define\('DB_USER'/", $line)) { - $rv .= "\tdefine('DB_USER', '$DB_USER');\n"; - } else if (preg_match("/define\('DB_NAME'/", $line)) { - $rv .= "\tdefine('DB_NAME', '$DB_NAME');\n"; - } else if (preg_match("/define\('DB_PASS'/", $line)) { - $rv .= "\tdefine('DB_PASS', '$DB_PASS');\n"; - } else if (preg_match("/define\('DB_PORT'/", $line)) { - $rv .= "\tdefine('DB_PORT', '$DB_PORT');\n"; - } else if (preg_match("/define\('SELF_URL_PATH'/", $line)) { - $rv .= "\tdefine('SELF_URL_PATH', '$SELF_URL_PATH');\n"; - } else if (!$finished) { - $rv .= "$line\n"; - } + $rv = file_get_contents("../config.php-dist"); - if (preg_match("/\?\>/", $line)) { - $finished = true; - } - } + $escape_chars = "\\'"; + + $settings = [ + "%DB_TYPE" => $DB_TYPE == 'pgsql' ? 'pgsql' : 'mysql', + "%DB_HOST" => addcslashes($DB_HOST, $escape_chars), + "%DB_USER" => addcslashes($DB_USER, $escape_chars), + "%DB_NAME" => addcslashes($DB_NAME, $escape_chars), + "%DB_PASS" => addcslashes($DB_PASS, $escape_chars), + "%DB_PORT" => $DB_PORT ? intval($DB_PORT) : '', + "%SELF_URL_PATH" => addcslashes($SELF_URL_PATH, $escape_chars) + ]; + + $rv = str_replace(array_keys($settings), array_values($settings), $rv); return $rv; } @@ -250,28 +236,28 @@ <fieldset> <label>Username:</label> - <input dojoType="dijit.form.TextBox" required name="DB_USER" size="20" value="<?php echo $DB_USER ?>"/> + <input dojoType="dijit.form.TextBox" required name="DB_USER" size="20" value="<?php echo htmlspecialchars($DB_USER) ?>"/> </fieldset> <fieldset> <label>Password:</label> - <input dojoType="dijit.form.TextBox" name="DB_PASS" size="20" type="password" value="<?php echo $DB_PASS ?>"/> + <input dojoType="dijit.form.TextBox" name="DB_PASS" size="20" type="password" value="<?php echo htmlspecialchars($DB_PASS) ?>"/> </fieldset> <fieldset> <label>Database name:</label> - <input dojoType="dijit.form.TextBox" required name="DB_NAME" size="20" value="<?php echo $DB_NAME ?>"/> + <input dojoType="dijit.form.TextBox" required name="DB_NAME" size="20" value="<?php echo htmlspecialchars($DB_NAME) ?>"/> </fieldset> <fieldset> <label>Host name:</label> - <input dojoType="dijit.form.TextBox" name="DB_HOST" size="20" value="<?php echo $DB_HOST ?>"/> + <input dojoType="dijit.form.TextBox" name="DB_HOST" size="20" value="<?php echo htmlspecialchars($DB_HOST) ?>"/> <span class="hint">If needed</span> </fieldset> <fieldset> <label>Port:</label> - <input dojoType="dijit.form.TextBox" name="DB_PORT" type="number" size="20" value="<?php echo $DB_PORT ?>"/> + <input dojoType="dijit.form.TextBox" name="DB_PORT" type="number" size="20" value="<?php echo htmlspecialchars($DB_PORT) ?>"/> <span class="hint">Usually 3306 for MySQL or 5432 for PostgreSQL</span> </fieldset> @@ -281,7 +267,7 @@ <fieldset> <label>Tiny Tiny RSS URL:</label> - <input dojoType="dijit.form.TextBox" type="url" name="SELF_URL_PATH" placeholder="<?php echo $SELF_URL_PATH; ?>" value="<?php echo $SELF_URL_PATH ?>"/> + <input dojoType="dijit.form.TextBox" type="url" name="SELF_URL_PATH" placeholder="<?php echo htmlspecialchars($SELF_URL_PATH); ?>" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/> </fieldset> <p><button type="submit" dojoType="dijit.form.Button" class="alt-primary">Test configuration</button></p> @@ -352,7 +338,7 @@ $pdo = pdo_connect($DB_HOST, $DB_USER, $DB_PASS, $DB_NAME, $DB_TYPE, $DB_PORT); if (!$pdo) { - print_error("Unable to connect to database using specified parameters (driver: $DB_TYPE)."); + print_error("Unable to connect to database using specified parameters (driver: " . htmlspecialchars($DB_TYPE) . ")."); exit; } @@ -378,13 +364,13 @@ <form method="post"> <input type="hidden" name="op" value="installschema"> - <input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> - <input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> - <input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> - <input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> - <input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> - <input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> - <input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> + <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/> + <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/> + <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/> + <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/> + <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/> + <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/> + <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/> <p> <?php if ($need_confirm) { ?> @@ -398,13 +384,13 @@ </td><td> <form method="post"> - <input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> - <input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> - <input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> - <input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> - <input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> - <input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> - <input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> + <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/> + <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/> + <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/> + <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/> + <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/> + <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/> + <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/> <input type="hidden" name="op" value="skipschema"> @@ -456,16 +442,16 @@ <form action="" method="post"> <input type="hidden" name="op" value="saveconfig"> - <input type="hidden" name="DB_USER" value="<?php echo $DB_USER ?>"/> - <input type="hidden" name="DB_PASS" value="<?php echo $DB_PASS ?>"/> - <input type="hidden" name="DB_NAME" value="<?php echo $DB_NAME ?>"/> - <input type="hidden" name="DB_HOST" value="<?php echo $DB_HOST ?>"/> - <input type="hidden" name="DB_PORT" value="<?php echo $DB_PORT ?>"/> - <input type="hidden" name="DB_TYPE" value="<?php echo $DB_TYPE ?>"/> - <input type="hidden" name="SELF_URL_PATH" value="<?php echo $SELF_URL_PATH ?>"/> + <input type="hidden" name="DB_USER" value="<?php echo htmlspecialchars($DB_USER) ?>"/> + <input type="hidden" name="DB_PASS" value="<?php echo htmlspecialchars($DB_PASS) ?>"/> + <input type="hidden" name="DB_NAME" value="<?php echo htmlspecialchars($DB_NAME) ?>"/> + <input type="hidden" name="DB_HOST" value="<?php echo htmlspecialchars($DB_HOST) ?>"/> + <input type="hidden" name="DB_PORT" value="<?php echo htmlspecialchars($DB_PORT) ?>"/> + <input type="hidden" name="DB_TYPE" value="<?php echo htmlspecialchars($DB_TYPE) ?>"/> + <input type="hidden" name="SELF_URL_PATH" value="<?php echo htmlspecialchars($SELF_URL_PATH) ?>"/> <?php print "<textarea rows='20' style='width : 100%'>"; - echo make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS, - $DB_PORT, $SELF_URL_PATH); + echo htmlspecialchars(make_config($DB_TYPE, $DB_HOST, $DB_USER, $DB_NAME, $DB_PASS, + $DB_PORT, $SELF_URL_PATH)); print "</textarea>"; ?> <hr/> |