No input saniziting, no error handling on installation
Posted: Sun Feb 05, 2006 7:27 pm
Hi,
when I installed s9y yesterday, I chose "mh-s9y" as database user name and database and table name prefix.
s9y happily accepted these names (while it shouldn't have if "-" is a forbidden character in mySQL table names), and proceeded to issue SQL statements with the broken name. All of them were rejected and caused SQL errors, but s9y continued to issue SQL commands and finally said "success" (error handling either not present or badly broken).
Afterwards, s9y refused to enter configuration state again since it thought it was successfully configured. I had to empty serendipity_config_local.php.inc to be allowed to undo my mistake.
Greetings
Marc
when I installed s9y yesterday, I chose "mh-s9y" as database user name and database and table name prefix.
s9y happily accepted these names (while it shouldn't have if "-" is a forbidden character in mySQL table names), and proceeded to issue SQL statements with the broken name. All of them were rejected and caused SQL errors, but s9y continued to issue SQL commands and finally said "success" (error handling either not present or badly broken).
Afterwards, s9y refused to enter configuration state again since it thought it was successfully configured. I had to empty serendipity_config_local.php.inc to be allowed to undo my mistake.
Greetings
Marc
