Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By ankur on
I've noticed that in conf.php (settings.php in 4.6) that the values for $db_url and $db_prefix use double quotes. What if the the password uses a '$'? PHP will try to interpret the substring portion of the URL that starts with '$' as a variable.
Is there a reason that settings.php uses double quotes instead of single quotes?
I ask because I've seen an issue arise in cases where someone is trying to use a db password that includes a '$'. Obviously, using a weird character is a security preference for some folks. I don't use them myself, but if there's no special reason that double-quotes are used in settings.php, then I would like to suggest that single-quotes be used.
Of course, anyone aware of this issue can use single-quotes themselves, but I don't know if most people installing Drupal are PHP-aware enough to use single quotes. The default settings.php uses double-quotes and I would imagine that most people entering their own values into settings.php will just use the double-quotes and not think to use single-quotes if they are using a '$' in their database url.
-Ankur
Comments
I have not checked this but
I have not checked this but I believe form input is filtered and the dollar sign escaped.
---------------------------
Hivemindz CMSopdedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia
The password I'm talking
The password I'm talking about is not submitted via web form, it is the password stored in a PHP file, which Drupal uses to connet to the backend database.
The problem is that conf.php is the file that contains the variables that helps a Drupal installation connect to its DB. On every page serve, Drupal pulls all of its data from the DB. In order to do this, Drupal needs to know the DB login, DB password, and DB name, DB type ("mysql" vs "pgsql"). All of this is stored in a single variable in URL form.
When Drupal serves a request, there is an 'include_once' of conf.php to grab this URL. So, conf.php is evaluated. When it is evaluated, it is setting the variable $db_url, which (out of the box) uses double-quotes. However, if the password in the URL contains a '$', then, because this string is enclosed by double-quotes, PHP attempts to evaluate the '$' portion as a variable.
For example, if we have, in conf.php
$db_url = "mysql://username:as$dfg@localhost/db_name"
Then, upon the loading of conf.php, PHP will attempt to evaluate the '$dfg' portion of the string as a PHP variable. This will likely cause an error if there is no $dfg variable.
However, if we change the line to read
$db_url = 'mysql://username:as$dfg@localhost/db_name'
PHP will not interpret the '$dfg' portion as a variable since the entire string is enclosed in single quotes. The password will be 'as$dfg'.
Ankur Rishi
(CivicSpace)
Please file a bug report
http://drupal.org/node/add/project_issue/drupal
--
Drupal development: making the world better, one patch at a time. | A bedroom without a teddy is like a face without a smile.
I have checked two different
I have checked two different tools. Both that single quotes be used on special characters or they throw an error. Even on the command line you have to use single qoutes or MySQL will not accept the special character (which is what this thread is all about). What do single quotes mean? well check the first post here. There is a good explaination there. Also escaped special characters are no longer special characters.
---------------------------
Hivemindz CMSopdedia
__________________________
Carl McDade
Information Technology Consult
Team Macromedia
If you would take the time
I