Framework: Using DB password that contains "#" is interpreted as a comment

Created on 11 Mar 2019 · 9Comments · Source: laravel/framework

Laravel Version: 8.0.1
PHP Version: PHP 7.2.15-0ubuntu0.18.04.1
Database Driver & Version: 5.7.25-0ubuntu0.18.04.2

Description:

TL;DR: If you use a password starting with # in your .env without surrounding it with quote marks, Laravel interprets it as blank. This was not the case in 7.x Ior I did something very wrong, which only triggered it after upgrading).

Before upgrading from Laravel 7.x, I used a randomly generated, very long password. The password, which I have changed for the purpose of this issue, was something like: #t21432;34124l;21aBF23!~

Upgrading to Laravel 8.x caused my production server to suddenly stop working, with an error: USING PASSWORD: NO. I was genuinely perplexed by this, given no config had changed and all tests passed. I discovered the only fix was editing config/database.php and replacing env('DB_PASSWORD') with the password, then running php artisan cache:clear.

It turns out that if your password starts with a # in Laravel 8.x, it's interpreted as a comment, so is left blank. It took me a long while to figure out that, and that the password would work just fine if wrapped in " first - but I imagine the odds that other people have had a randomly generated password waste hours of their lives is likely enough that this should be fixed.

Steps To Reproduce:

Set DB_PASSWORD to some string like #123456 in .env
Laravel thinks there's no password set

Source

Most helpful comment

This is a breaking change in a point release, more-so than anything else listed on that page - it can cause production outages at random and is difficult to reproduce locally if you don't use the same production passwords in your local environment. How is it not a high impact change? This caused me hours of lost work, and was the only issue in the update process.

That's pretty disappointing as a response, and given that there's plenty of other examples out there of people discovering the same much later, this isn't going to be the last time someone discovers this too late.

ow on 11 Mar 2019

👍6

All 9 comments

You now have to wrap the value in quotes: DB_PASSWORD="#123456"

https://laravel.com/docs/5.8/upgrade > Environment

staudenmeir on 11 Mar 2019

😕4 👍2

HA - Likelihood Of Impact: Low

...yeah this caused a production outage for me for a while. I used Laravel Shift to migrate + extensive testing, read the whole document and STILL missed this somehow. UGH.

This really should be listed at the top of the document with a huge warning: a hash symbol can now bring down your entire production environment.

ow on 11 Mar 2019

You probably read the upgrade guide before this change was added: https://github.com/laravel/docs/pull/5043

staudenmeir on 11 Mar 2019

👍1

Damn, thanks for pointing that out.🤦‍♀️

Even then - I think this should be a big angry red warning at the top there. No way I would've caught that.

ow on 11 Mar 2019

👍2

We can't cover every single scenario/change for every single change in a library we use. We also can't list every single change as a high impact change.

driesvints on 11 Mar 2019

👎6 👀3 😄2

ow on 11 Mar 2019

👍6

@ow heya. After reading a bit up on the changes itself and the Laracasts thread I have to say I agree with you. I've sent in a PR to the docs to mark it as a high impact change: https://github.com/laravel/docs/pull/5050

Please forgive me from jumping to conclusions. Almost everyone who experiences a breaking change which isn't in the upgrade guide thinks their change deserves it to be marked as a high impact change while that mostly isn't the case. Anyway, thanks for reporting this 👍

driesvints on 11 Mar 2019

🎉2 ❤1

@driesvints no worries, I totally understand on a high-volume project like this! I actually didn't realize the docs were open-source, I'd have submitted a PR myself otherwise - thanks for the note and I'll definitely make a docs suggestion in the future :)

ow on 11 Mar 2019

👍1