I have a mysql user password with some special characters in it.
settings.php mentions the following information about special characters in your database url:
* Database settings:
*
* Note that the $db_url variable gets parsed using PHP's built-in
* URL parser (i.e. using the "parse_url()" function) so make sure
* not to confuse the parser. If your username, password
* or database name contain characters used to delineate
* $db_url parts, you can escape them via URI hex encodings:
*
* : = %3a / = %2f @ = %40
* + = %2b ( = %28 ) = %29
* ? = %3f = = %3d & = %26
I used the hex codes to encode my password, but connecting was not possible:
Access is denied for user@localhost (Using Password: YES)
When i changed the connection string in includes/database.mysql.inc from
$connection = mysql_connect($url['host'], $url['user'], $url['pass'], TRUE) or die(mysql_error());
in
$connection = mysql_connect($url['host'], $url['user'], urldecode($url['pass']), TRUE) or die(mysql_error());
the problem was solved. Probably it is a good idea to do the same for username and host?
| Comment | File | Size | Author |
|---|---|---|---|
| #17 | db_connect_urldecode.patch | 2.33 KB | rkerr |
Comments
Comment #1
serval-1 commentedThe bug is still there in the new 4.6.1 release :(
I changed the file database.mysql.inc to solve the problem:
After the lines
I added the following lines:
I think the problem also exists with other database systems, but I was not able to test this.
Comment #2
barryhawkins commentedWhich specific characters are you trying to encode in your password? Using "%40" for the @ symbol resolved the issue for me; if you have the problem with particular symbols, perhaps I could test it here as well.
Comment #3
barryhawkins commentedMy apologies; spoke too soon. After experimenting with some more, it does indeed still fail. I will check tomorrow to see if this has been included in 4.6.2; if not, I can attach a patch to this report. Not sure yet if that's how things are done here.
Comment #4
jmengle commentedI can confirm that I was having the same problem. I had an @ in a mysql password, and the "%40" encoding was not working, so I then tested a "%40" in the username. It definately was not being converted to a "@" symbol. I added these lines from above:
and everything worked just fine.
Comment #5
serval-1 commentedNice to see i'm not alone :D.
Anybody out there who is able to create a patch for this issue?
Comment #6
chx commentedIf we would go this route then people with a percent sign in their db_url would get problems and what's worse it would break their update path, they would need to urlencode their passwords before an update. I am a bit reluctant to make this step.
Comment #7
serval-1 commentedWell, there is a hex code for the percent sign itself too:
So, when you have a percent sign in your username, you could still encode it.
Comment #8
zignit commentedhey guys...first-timer here..
I was hoping to get a smooth install so I could see how drupal works, but Im having problems with my database/user-names.
I use the undersquare "_" and I can't seem to find the hex codes to encode. I only found the htmlcode for it.. "_" , but that doens't work...
Does someone know ??
Thanks in advanced!
Comment #9
serval-1 commentedI think the underscore character has %5f as a hex encoding.
I tought that the underscore is a safe character for URL's. Is this not the case?
Comment #10
serval-1 commentedThis issue is still there in the current CVS!
Really, anyone with any character like @, :, &, +,... in their database username or password will be unable to install and use Drupal!
I hope this will be patched before the 4.7 release
Comment #11
killes@www.drop.org commentedI think we can indeed fix this by adding a urldecode and telling everybody to add hexcode for % in the docs on update.php.
Comment #12
serval-1 commentedComment #13
Cvbge commentedI also think this is very important issue and should be fixed before 4.7
Comment #14
Cvbge commentedBumping.
If we really are not going to fix this for 4.7, then we should change the docs.
Comment #15
openmacnews commentedi can verify that this is an issue with drupal 4.7b3 + pgsql 812 on OSX 10.4.4.
with my pg_hba.conf entry as:
hostssl drupaldb myuser 127.0.0.1 255.255.255.255 md5
using *any* special character (literal, "\"-escaped, or urlencoded) in $db_url's 'password' simply causes the connect to fail.
removing any/all suchh chars form password, everything's fine with plaintext/md5 pwds over encrypted SSL to DB.
richard
Comment #16
openmacnews commentedeek ... didn't mean to 'yell' ...
Comment #17
rkerr commentedPatch against cvs for db_connect for MySQL, MySQLi, and PostgreSQL.
Comment #18
Cvbge commentedThe best solution would be to use some other variable than $db_url
If $db_url is set, use old method, if $new_config is set - use new method
Very simple to implement and backward compatibile.
Would allow us to drop this ugly url-like syntax and add new features
Comment #19
Steven commentedIMO this is commit ready. The number of people who have such special characters in their username/password should be tiny and it's simple enough to fix.
Comment #20
chx commentedCommit if you want, but it'll break the update path for those who have a percent sign in their password. Given the even smaller number of those, I think this one is good to go.
Comment #21
dries commentedCommitted.
Comment #22
Chris Johnson commentedWell, indeed, it busted my Drupal install when I upgraded to 4.7. I had a plus sign in my MySQL password.
Guess what? That's a perfectly valid URL, too. Plus signs are only URL delimiters when they occur after the question mark ? sign in the path to the right of the hostname.
My site worked for 2 years, and then blew up when I installed 4.7 because this patch tossed the plus sign with urldecode().
My host uses autogenerated MySQL passwords and they can include plus signs. How many people do you suppose are going to get screwed by this? It's especially hard to figure out because the admin knows the database parameters are right because they were working and were not changed with the install. Because of that, the site admin is unlikely to read the comments in the settings.php file and notice that the plus sign needs to be hex encoded. Instead, that admin is going to contact their host and ask WTF is wrong with the database connection.
In fact, the standard for URLs specifically says + signs are valid and are not to be encoded. See here: http://www.ietf.org/rfc/rfc1738.txt
This fix breaks that standard.
PHP's parse_url() handles it correctly and returns the + sign.
Comment #23
Cvbge commentedYou should encode "+" as settings.php says. UPGRADE.txt should be updated to reflect this.
Comment #24
serval-1 commentedI think the url-like syntax for connecting to the database is not the way to go.
My proposal is to make url-syntax an deprecated option, and to use something like this in the new settings.php file:
Comment #25
Steven commentedIf the + is an issue, we should use rawurlencode() and rawurldecode(). The non-raw versions are meant for query string arguments really.
Comment #26
moshe weitzman commentedi agree that the url syntax confuses people for no good reason (that I can think of). separate fields makes better since to me.
Comment #27
dries commentedI'm OK with seperate fields if that is going to fix a bunch of problems. Use $db_ not $db.
Comment #28
dries commentedChanging that setting will complicate the upgrade process though. People will be forced to edit their settings.php before they can even attempt to upgrade... Maybe this should be put on hold for 4.8?
Comment #29
moshe weitzman commentedi also am inclined to wait on this. workarounds are available so i set to normal priority.
Comment #30
killes@www.drop.org commentedmoving
Comment #31
chx commentedComment #32
stevenpatzComment #33
moshe weitzman commentedseems like noone cares anymore. reopen if i am wrong.
Comment #34
webchickMarking won't fix. We have an installer now that takes care of this for you, so there should very rarely need to be a reason to go in and putz with settings.php.