One of the parts that was holding me back before was the creation of an installation script that would get information from the user about the address of the database, its username and password, and some information to create the admin account so today my project was to create that page.
In the process I discovered that there were some problems in my database classes. I cannot use mysql_real_escape_string() on the query as a whole - it needs to be done on individual parameters. I updated Query() and added a new function EscapeString()
// Escapes a string to protect against SQL injectionfunction EscapeString($str) { if (!is_numeric($str)) return mysql_real_escape_string($str, $this->link); else return $str;}// Performs a query// It is assumed that the query is safefunction Query($query) { $result = mysql_query($query, $this->link); if (!$result) { $this->error = mysql_error(); return false; } else { $this->error = ''; return new QueryResult($result, $this->link); }}
I also made some changes to the QueryResult class to prevent the warnings that come up when $result comes from a query like UPDATE or INSERT.
I fixed a bug in RegisterUser() in which I wasnt quoting the hash of the password or the join date and sometime during my period of not posting I switched from using MD5 to hash the password to SHA1.
Here is my installation script:
/************************************************************************ * * Title: Installation * Author: Colin Jeanne (http://colinjeanne.net) * Date: May 23, 2005 * * Description: * Gets information to access the database * Creates cms-settings.php and tables for modules and users * ************************************************************************/?>PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> CMS Installation if (isset($_POST['action'])) { // The form was submitted $f = fopen('cms-settings.php', 'wt'); if ($f === false) exit("Could not open cms-settings.php for write access"); // Attempt to write necessary variables to cms-settings.php if (fputs($f, ") === false) exit("Could not write to cms-settings.php"); if (fputs($f, ' $dbserver = \'' . $_POST['dbserver'] . "';\n") === false) { exit("Could not write to cms-settings.php"); } if (fputs($f, ' $dbusername = \'' . $_POST['dbusername'] . "';\n") === false) { exit("Could not write to cms-settings.php"); } if (fputs($f, ' $dbpassword = \'' . $_POST['dbpassword'] . "';\n") === false) { exit("Could not write to cms-settings.php"); } if (fputs($f, ' $dbname = \'' . $_POST['dbname'] . "';\n") === false) exit("Could not write to cms-settings.php"); if (fputs($f, "?>\n") === false) exit("Could not write to cms-settings.php"); fclose($f); // Load the database class (which loads the newly created // cms-settings.php) and create the central user table and the module // registration table require_once('db-class.php'); $db = new Database; $db->Connect(); if ($db->error != '') exit("Could not connect to database"); $result = $db->CreateTable('admin', 'Users', '(ID MEDIUMINT UNSIGNED AUTO_INCREMENT ' . 'PRIMARY KEY, ' . 'Name VARCHAR(25), ' . 'Password CHAR(40), ' . 'Email VARCHAR(255), ' . 'JoinDate DATE DEFAULT \'0000-00-00\', ' . 'Type ENUM(\'Admin\', \'Peon\') ' . 'DEFAULT \'Peon\')'); if ($result == false) { $db->Disconnect(); exit("Could not create user table: $db->error"); } $result->FreeResult(); $result = $db->CreateTable('admin', 'Registered', '(Name VARCHAR(16) PRIMARY KEY, ' . 'Path VARCHAR(255), ' . 'Frontpage BOOL DEFAULT \'FALSE\')'); if ($result == false) { $db->Disconnect(); exit("Could not create modules table: $db->error"); } $result->FreeResult(); $db->Disconnect(); // Load the administration functions and register this as the admin // module require_once('admin.php'); if (RegisterModule('admin', 'admin.php') === false) exit("Could not register admin module"); // Load the central user database functions in order to register the // administrator require_once('central-user-database.php'); if (RegisterUser($_POST['username'], $_POST['password'], $_POST['email'], 'Admin') === false) { exit("Could not register administrator account"); } print "Installation successful"; } else { // Output installation form?> "install.php" method="post"> for="dbserver"> Address of the database server (eg localhost:3306): "text" name="dbserver" id="dbserver" /> for="dbusername"> Username to access the database: "text" name="dbusername" id="dbusername" /> for="dbpassword"> Password to access the database: "text" name="dbpassword" id="dbpassword" /> for="dbname"> Name of the database: "text" name="dbname" id="dbname" /> for="username"> Username for the administrator account (you can change this later): "text" name="username" id="username" /> for="password"> Password for the administrator account (you can change this later): "text" name="password" id="password" /> for="email"> Email for the administrator account (you can change this later): "text" name="email" id="email" /> "hidden" name="action" id="action" value="action" /> "submit" value="Install" /> }?>