Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Escaped characters in MySQL details when going back in setup
There’s a bug in the 4.5.7 setup routine that appears to escape characters in the provided database details (name, user, password and prefix), either when the database connection attempt is made or immediately after it fails and informs the user to go back. On the grounds that my password was correct, I suspect it’s escaping it before the connection attempt is made, but I can’t say for sure.
This report relates to 4.5.7, and I’ll update it with results from 4.6-dev when I’ve tested it.
I came across this with a password manager-generated password that included a < character. It’s a valid password insofar as I can create a user with it, and log in from the command line as that user.
$ mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 46
Server version: 5.5.43-0+deb7u1 (Debian)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> CREATE USER textpattern IDENTIFIED BY 'If<pE(swyEc;bof+ak*Jaf^Kav/uSk:uS]Uk%As]';
Query OK, 0 rows affected (0.00 sec)
mysql> QUIT;
Bye
$…then log in as that new user:
$ mysql -u textpattern -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 48
Server version: 5.5.43-0+deb7u1 (Debian)
Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> SELECT USER(),CURRENT_USER();
+-----------------------+----------------+
| USER() | CURRENT_USER() |
+-----------------------+----------------+
| textpattern@localhost | textpattern@% |
+-----------------------+----------------+
1 row in set (0.00 sec)
mysql> QUIT;
Bye
$When I try to install as that new user with that password, it fails with the Can’t connect to database message. When I click the Back button (not back in my browser), the password now includes escaped characters (third character was < and becomes <):
- Was:
If<pE(swyEc;bof+ak*Jaf^Kav/uSk:uS]Uk%As] - Now:
If<pE(swyEc;bof+ak*Jaf^Kav/uSk:uS]Uk%As]
The problem is compounded somewhat because I didn’t spot the escaped < first of all (this has never happened to me before), so when I double-checked the password and tried again with the Next button, it failed again, and using Back now escapes the & (the third character), too.
I assume, perhaps wrongly, that since MySQL accepts the password and lets me log in that < is a supported/permitted character.
Clearly it’s easy to change the password so it doesn’t include that character, but I’d appreciate some input on this. My passwords are becoming more complex as time goes on, and I’m advising my clients to do the same, so this issue might not just be confined to me. Potential resolutions:
- sanitise the escaping for that part of the setup routine
- add a note about not using escapable characters
Offline
Re: Escaped characters in MySQL details when going back in setup
Does it work if your config.php file contains the correct password?
Offline
Re: Escaped characters in MySQL details when going back in setup
ruud wrote #291195:
Does it work if your config.php file contains the correct password?
Excellent question. Hold please, I will check.
Offline
Re: Escaped characters in MySQL details when going back in setup
This is odd.
Testing from scratch – the problem doesn’t occur on my development server; on a live server (Tsohost), it doesn’t play nicely and throws the escaping error.
To be continued.
Offline
Re: Escaped characters in MySQL details when going back in setup
ruud wrote #291195:
Does it work if your config.php file contains the correct password?
Yes. Well, it connects and notes the tables are empty:
general_error Textpattern Error: Table 'staging.txp_prefs' doesn't exist on line 95
general_error Textpattern Error: Table 'staging.txp_prefs' doesn't exist on line 95
general_error Textpattern Error: Table 'staging.txp_prefs' doesn't exist on line 95
general_error Textpattern Error: Table 'staging.txp_prefs' doesn't exist on line 95
general_error Textpattern Error: Table 'staging.txp_prefs' doesn't exist on line 95
general_error Textpattern Error: Table 'staging.txp_lang' doesn't exist on line 95
general_error Textpattern Error: Table 'staging.txp_lang' doesn't exist on line 95
General error Textpattern Error: Table 'staging.txp_section' doesn't exist on line 95
General error Textpattern Error: Table 'staging.txp_page' doesn't exist on line 95
General error Textpattern Error: Table 'staging.txp_page' doesn't exist on line 95
General error Textpattern Error: Table 'staging.txp_page' doesn't exist on line 95Anonymised config file for completeness (and yes, host is an internal network):
<?php
$txpcfg['db'] = 'staging';
$txpcfg['user'] = 'staging';
$txpcfg['pass'] = '<staging>';
$txpcfg['host'] = '10.1.1.1';
$txpcfg['table_prefix'] = '';
$txpcfg['txpath'] = '/var/sites/example.org/subdomains/staging/textpattern';
$txpcfg['dbcharset'] = 'utf8';
?>This is likely a hosting-specific issue, and the first time I’ve ever encountered it.
Offline