Sanatizing all data being written about db connection

ushahidi · Nov 15, 2013 · 5f669ab · 5f669ab
1 parent 853eabf
commit 5f669ab
Showing 1 changed file with 10 additions and 17 deletions.
diff --git a/installer/wizard.php b/installer/wizard.php
@@ -614,12 +614,12 @@ public static function install_database()
 		// Store the database info
 		self::$_data['database'] = array(
 			'host' => $host,
-			'username' => $username,
-			'password' => $password,
-			'database_name' => $database,
+			'user' => $username,
+			'pass' => $password,
+			'database' => $database,
 			'table_prefix' => $table_prefix
 		);
-		
+
 		// Set up the database schema + objects
 		self::_database_connect();
 
@@ -684,8 +684,8 @@ private static function _database_connect()
 	{
 		$params = self::$_data['database'];
 
-		self::$_connection = mysql_connect($params['host'], $params['username'], 
-		    $params['password'], TRUE);
+		self::$_connection = mysql_connect($params['host'], $params['user'], 
+		    $params['pass'], TRUE);
 
 		if ( ! self::$_connection)
 		{
@@ -694,7 +694,7 @@ private static function _database_connect()
 			return FALSE;
 		}
 
-		$database_name = $params['database_name'];
+		$database_name = $params['database'];
 
 		if ( ! mysql_select_db($database_name))
 		{
@@ -763,23 +763,16 @@ private static function _create_database_config()
 		{
 			if (($template_file = file($template_file_name)) !== FALSE)
 			{
-				$params = self::$_data['database'];
-				$config_params = array(
-					'user' => $params['username'],
-					'pass' => addslashes($params['password']),
-					'host' => $params['host'],
-					'database' => $params['database_name'],
-					'table_prefix' => $params['table_prefix']
-				);
-
+				$config_params = self::$_data['database'];
+
 				foreach ($template_file as $line_no => $line)
 				{
 					foreach ($config_params as $config => $value)
 					{
 						$search = sprintf("/'%s' =>.*/i", $config);
 						if (preg_match($search, $line, $matches))
 						{
-							$replace = sprintf("'%s' => '%s',", $config, $value);
+							$replace = sprintf("'%s' => '%s',", $config, addslashes($value));
 							$line = preg_replace("/".$matches[0]."/i", $replace, $line);
 							break;
 						}