[wp-trac] [WordPress Trac] #13839: Configuration script does not allow apostrophes, blank prefixes

[WordPress Trac]

#13839: Configuration script does not allow apostrophes, blank prefixes
----------------------------+-----------------------------
 Reporter:  incaren         |       Owner:  dd32
     Type:  defect (bug)    |      Status:  assigned
 Priority:  low             |   Milestone:  Future Release
Component:  Administration  |     Version:  2.9.2
 Severity:  trivial         |  Resolution:
 Keywords:  has-patch       |
----------------------------+-----------------------------

Comment (by dd32):

 Related: #16229

 Like nacin I don't believe we should support a blank prefix in the wp-
 config.php wizard, it should be throwing an error in that case instead.
 Being able to set a blank/empty prefix via a manual file creation is a bit
 more deliberate

 Also note, Table prefixes are used in more than just table names, they're
 also used for per-site capabilities(Multisite and shared user tables,
 etc).

 The patches here fix ' being in a username or password, but not the
 database name, but also break " being in a password. As an addition \
 would also break it (as it's not escaped properly either).

 Looking at this, it looks like `addcslashes($.., "\\'");` is what should
 be used, which escapes both \ and ' whilst leaving " alone. An example
 password would be: `1'2\3"4` which should end up like this:
 `define('DB_PASSWORD', '1\'2\\3"4');`

 Attached is a patch for testing based on addcslashes and erroring out on
 an empty prefix

-- 
Ticket URL: <http://core.trac.wordpress.org/ticket/13839#comment:7>
WordPress Trac <http://core.trac.wordpress.org/>
WordPress blogging software