diff -r f4323fa79313 -r 275c70f80137 install.php --- a/install.php Fri Nov 09 18:09:29 2007 -0500 +++ b/install.php Fri Nov 09 23:39:52 2007 -0500 @@ -193,9 +193,8 @@ $db_pass =& $_POST['db_pass']; $db_name =& $_POST['db_name']; - if ( !preg_match('/^[a-z0-9_]+$/', $db_name) ) + if ( !preg_match('/^[a-z0-9_-]+$/', $db_name) ) { - die('
' . htmlspecialchars(print_r($_POST, true)) . ''); $db_name = htmlspecialchars($db_name); die("
SECURITY: malformed database name \"$db_name\"
"); } @@ -244,9 +243,16 @@ return false; } } + mysql_close($conn_root); + $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); + if ( !$conn ) + { + // This should honestly never happen. + return false; + } } } - $q = @mysql_query("USE $db_name;", $conn); + $q = @mysql_query("USE `$db_name`;", $conn); if ( !$q ) { // access denied to the database; try the whole root schenanegan again @@ -259,7 +265,7 @@ return false; } // create the database, if it doesn't exist - $q = @mysql_query("CREATE DATABASE IF NOT EXISTS $db_name;", $conn_root); + $q = @mysql_query("CREATE DATABASE IF NOT EXISTS `$db_name`;", $conn_root); if ( !$q ) { // this really should never fail, so don't give any tolerance to it @@ -269,26 +275,34 @@ $db_user = mysql_real_escape_string($_POST['db_user']); $db_pass = mysql_real_escape_string($_POST['db_pass']); // we're in with root rights; grant access to the database - $q = @mysql_query("GRANT ALL PRIVILEGES ON $db_name.* TO '{$db_user}'@'localhost';", $conn_root); + $q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'localhost';", $conn_root); if ( !$q ) { return false; } if ( $_POST['db_host'] != 'localhost' && $_POST['db_host'] != '127.0.0.1' && $_POST['db_host'] != '::1' ) { - $q = @mysql_query("GRANT ALL PRIVILEGES ON $db_name.* TO '{$db_user}'@'%';", $conn_root); + $q = @mysql_query("GRANT ALL PRIVILEGES ON `$db_name`.* TO '{$db_user}'@'%';", $conn_root); if ( !$q ) { return false; } } + mysql_close($conn_root); + // grant tables have hopefully been flushed, kill and reconnect our regular user connection + mysql_close($conn); + $conn = @mysql_connect($_POST['db_host'], $_POST['db_user'], $_POST['db_pass']); + if ( !$conn ) + { + return false; + } } else { return false; } // try again - $q = @mysql_query("USE $db_name;", $conn); + $q = @mysql_query("USE `$db_name`;", $conn); if ( !$q ) { // really failed this time; bail out