October: The installer fails when the MySQL user password contains a dollar sign and an apostrophe
Expected behavior
The installer should have worked fine.
Actual behavior
The installer reports an error "Undefined variable: smth" when "Building configuration files"
Reproduce steps
- Create MySQL user & db
- Set the MySQL user password to something that contains a dollar sign (say pass$smth'word)
- Run the installer
October build
WHERE DO I FIND THE BUILD NUMBER?
I'm going to make it equally difficult for you to figure it out. I downloaded & ran the installer about an hour ago from https://octobercms.com/download
P.S.
Finding such a naive bug in a CMS that's labeled as Stable will definitely make me avoid using it for any production apps. Your definition of a stable release is disturbing.
iSWORD
All 14 comments
Don't get me wrong. October might be a great piece of software but I can't trust it with my clients' data now that I know what counts as stable to the devs behind it.
P.S. if you haven't figured out what went wrong yet;
The password is probably stored somewhere in a PHP script like this
define ("DB_PASS", "pass$smth'word");
Quoted using double quotes, without being escaped or encoded.
$ php -a
Interactive mode enabled
php > define ("DB_PASS", "pass$smth'word");
PHP Notice: Undefined variable: smth in php shell code on line 1
php > echo DB_PASS;
pass'word
php >
@iSWORD This is not oc issue.
You're using double quotes http://php.net/manual/en/language.types.string.php#language.types.string.syntax.double .
If you want to have dollar sign into your db password, you should to use \ (bsckslash) before $.
Like this:
define ("DB_PASS", "pass\$smth'word");
php -a
Interactive shell
php > define ("DB_PASS", "pass\$smth'word");
php > echo DB_PASS;
pass$smth'word
php >
Samorai
on 23 Aug 2017
@Samorai That piece of code was to demonstrate the bug in October.
iSWORD
on 23 Aug 2017
@iSWORD There are not october bug.
There are correct php interpretation.
You're using $ (dollar sign) inside double quotes, php has search the variable.
➜ ~ php -a
Interactive shell
php > $foo = "bar";
php > define("FOO_1", "$foo");
php > echo FOO_1;
bar
php > define("FOO_2", '$foo');
php > echo FOO_2;
$foo
php >
@Samorai Please read my original bug report. I entered my db password in the installer, I did not modify any PHP scripts myself. The installer decided that my input should be inserted into PHP scripts without being sanitized or escaped.
iSWORD
on 23 Aug 2017
Hi @iSWORD ,
I can confirm that it is impossible to install OctoberCMS using a MySQL password containing apostrophe. The input is not correctly escaped.
I have tried web install and the same from console.
This should be working as many people can be discouraged to try OctoberCMS having problems even installing it.
Until fixed you should use a password without apostrophe or manually enter escaped apostrophe in /config/database.php file.
jan-vince
on 23 Aug 2017
@iSWORD The October project has its issues like any complex project does, and the apparent lack of installer config sanitization is a silly oversight if true, but do you honestly think no one but you is familiar with escaping string content? Your general air of superiority and that you felt your second comment was necessary are giving me a chuckle over here.
"P.S. if you haven't figured out what went wrong yet" followed by a review of something basic is going to be my new go-to move when I file bug reports. If I'm not as condescending as possible, how will people know how much smarter I am than they are?
jimcottrell
on 24 Aug 2017
This is a duplicate of #2361.
@iSWORD You're making it equally difficult for me to care about your problems at all with your condescending remarks. Please remember that this project is developed and maintained with a significant amount of volunteer development time on behalf of the project creator, maintainers, and community members. We don't need disparaging comments that add nothing to the discussion.
LukeTowers
on 25 Aug 2017
The issue in #2361 appears to have been fixed. This is a different issue that may require further attention.
daftspunk
on 10 Dec 2019
Since this was reopened. Please accept my apologies for the harsh language in the original report. I should have been more patient and understanding.
Thank you to all maintainers of October ❤️
iSWORD
on 14 Dec 2019
This issue will be closed and archived in 3 days, as there has been no activity in the last 30 days.
If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue.
If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.
![github-actions[bot] picture](https://avatars.githubusercontent.com/in/15368?v=4&s=40)
github-actions[bot]
on 13 Jan 2020
This issue will be closed and archived in 3 days, as there has been no activity in the last 30 days.
- If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue. - If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.
github-actions[bot]
on 13 Feb 2020
This issue will be closed and archived in 3 days, as there has been no activity in the last 30 days.
If this issue is still relevant or you would like to see it actioned, please respond and we will re-open this issue.
If this issue is critical to your business, consider joining the Premium Support Program where a Service Level Agreement is offered.
github-actions[bot]
on 1 Apr 2020
bennothommo
on 1 Apr 2020
Related issues
mittultechnobrave
·
3Comments
oppin
·
3Comments
lukaszbanas-extremecoding
·
3Comments
LukeTowers
·
3Comments
ChVuagniaux
·
3Comments
Most helpful comment
Since this was reopened. Please accept my apologies for the harsh language in the original report. I should have been more patient and understanding.
Thank you to all maintainers of October ❤️