Issues in checkDBSettings.php (scrutinizer-code-quality) - Issues in scrutinizer-code-quality - adamjakab/SuiteCRM - Measure and Improve Code Quality continuously with Scrutinizer

Issues (4069)

Security Analysis not enabled

Cross-Site Scripting

Cross-Site Scripting enables an attacker to inject code into the response of a web-request that is viewed by other users. It can for example be used to bypass access controls, or even to take over other users' accounts.

File Exposure

File Exposure allows an attacker to gain access to local files that he should not be able to access. These files can for example include database credentials, or other configuration files.

File Manipulation

File Manipulation enables an attacker to write custom data to files. This potentially leads to injection of arbitrary code on the server.

Object Injection

Object Injection enables an attacker to inject an object into PHP code, and can lead to arbitrary code execution, file exposure, or file manipulation attacks.

Code Injection

Code Injection enables an attacker to execute arbitrary code on the server.

Response Splitting

Response Splitting can be used to send arbitrary responses.

File Inclusion

File Inclusion enables an attacker to inject custom files into PHP's file loading mechanism, either explicitly passed to include, or for example via PHP's auto-loading mechanism.

Command Injection

Command Injection enables an attacker to inject a shell command that is execute with the privileges of the web-server. This can be used to expose sensitive data, or gain access of your server.

SQL Injection

SQL Injection enables an attacker to execute arbitrary SQL code on your database server gaining access to user data, or manipulating user data.

XPath Injection

XPath Injection enables an attacker to modify the parts of XML document that are read. If that XML document is for example used for authentication, this can lead to further vulnerabilities similar to SQL Injection.

LDAP Injection

LDAP Injection enables an attacker to inject LDAP statements potentially granting permission to run unauthorized queries, or modify content inside the LDAP tree.

Header Injection

Other Vulnerability

This category comprises other attack vectors such as manipulating the PHP runtime, loading custom extensions, freezing the runtime, or similar.

Regex Injection

Regex Injection enables an attacker to execute arbitrary code in your PHP process.

XML Injection

XML Injection enables an attacker to read files on your local filesystem including configuration files, or can be abused to freeze your web-server process.

Variable Injection

Variable Injection enables an attacker to overwrite program variables with custom data, and can lead to further vulnerabilities.

Unfortunately, the security analysis is currently not available for your project. If you are a non-commercial open-source project, please contact support to gain access.

install/checkDBSettings.php (3 issues)

Labels

Severity

Informational 3

Upgrade to new PHP Analysis Engine

These results are based on our legacy PHP analysis, consider migrating to our new PHP analysis engine instead. Learn more

<?php
if(!defined('sugarEntry') || !sugarEntry) die('Not A Valid Entry Point');
/*********************************************************************************
 * SugarCRM Community Edition is a customer relationship management program developed by
 * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.

 * SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
 * Copyright (C) 2011 - 2014 Salesagility Ltd.
 *
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU Affero General Public License version 3 as published by the
 * Free Software Foundation with the addition of the following permission added
 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
 *
 * This program is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE.  See the GNU Affero General Public License for more
 * details.
 *
 * You should have received a copy of the GNU Affero General Public License along with
 * this program; if not, see http://www.gnu.org/licenses or write to the Free
 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
 * 02110-1301 USA.
 *
 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
 * SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
 *
 * The interactive user interfaces in modified source and object code versions
 * of this program must display Appropriate Legal Notices, as required under
 * Section 5 of the GNU Affero General Public License version 3.
 *
 * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
 * these Appropriate Legal Notices must retain the display of the "Powered by
 * SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
 * reasonably feasible for  technical reasons, the Appropriate Legal Notices must
 * display the words  "Powered by SugarCRM" and "Supercharged by SuiteCRM".
 ********************************************************************************/





function checkDBSettings($silent=false) {

    installLog("Begin DB Check Process *************");
    global $mod_strings;
    $errors = array();
    copyInputsIntoSession();

    $db = getInstallDbInstance();

    installLog("testing with {$db->dbType}:{$db->variant}");


        if( trim($_SESSION['setup_db_database_name']) == '' ){
            $errors['ERR_DB_NAME'] = $mod_strings['ERR_DB_NAME'];
            installLog("ERROR::  {$errors['ERR_DB_NAME']}");
        }


        if (!$db->isDatabaseNameValid($_SESSION['setup_db_database_name'])) {
            $errIdx = 'ERR_DB_' . strtoupper($_SESSION['setup_db_type']) . '_DB_NAME_INVALID';
            $errors[$errIdx] = $mod_strings[$errIdx];
            installLog("ERROR::  {$errors[$errIdx]}");
        }

        if($_SESSION['setup_db_type'] != 'oci8') {
            // Oracle doesn't need host name, others do
            if( trim($_SESSION['setup_db_host_name']) == '' ){
                $errors['ERR_DB_HOSTNAME'] = $mod_strings['ERR_DB_HOSTNAME'];
                installLog("ERROR::  {$errors['ERR_DB_HOSTNAME']}");
            }
        }

        //check to see that password and retype are same, if needed
        if(!empty($_SESSION['dbUSRData']) && ($_SESSION['dbUSRData']=='create' || $_SESSION['dbUSRData']=='provide'))
        {
            if( $_SESSION['setup_db_sugarsales_password'] != $_SESSION['setup_db_sugarsales_password_retype'] ){
                $errors['ERR_DBCONF_PASSWORD_MISMATCH'] = $mod_strings['ERR_DBCONF_PASSWORD_MISMATCH'];
                installLog("ERROR::  {$errors['ERR_DBCONF_PASSWORD_MISMATCH']}");
            }
        }

        // bail if the basic info isn't valid
        if( count($errors) > 0 ){
                installLog("Basic form info is INVALID, exit Process.");
            return printErrors($errors);
        } else {
            installLog("Basic form info is valid, continuing Process.");
        }

        $dbconfig = array(
                "db_host_name" => $_SESSION['setup_db_host_name'],
                "db_host_instance" => $_SESSION['setup_db_host_instance'],
        );

        if(!empty($_SESSION['setup_db_port_num'])) {
            $dbconfig["db_port"] = $_SESSION['setup_db_port_num'];
        } else {
            $_SESSION['setup_db_port_num'] = '';
        }

        // Needed for database implementation that do not allow connections to the server directly
        // and that typically require the manual setup of a database instances such as DB2
        if(empty($_SESSION['setup_db_create_database'])) {
            $dbconfig["db_name"] = $_SESSION['setup_db_database_name'];
        }

        // check database name validation in different database types (default is mssql)
        switch (strtolower($db->dbType)) {

            case 'mysql':
                if (preg_match("![/\\.]+!i", $_SESSION['setup_db_database_name']) ) {
                    $errors['ERR_DB_MYSQL_DB_NAME'] = $mod_strings['ERR_DB_MYSQL_DB_NAME_INVALID'];
                    installLog("ERROR::  {$errors['ERR_DB_MYSQL_DB_NAME']}");
                }
                break;

            case 'mssql':
            default:
                // Bug 29855 - Check to see if given db name is valid
                if (preg_match("![\"'*/\\?:<>-]+!i", $_SESSION['setup_db_database_name']) ) {
                    $errors['ERR_DB_MSSQL_DB_NAME'] = $mod_strings['ERR_DB_MSSQL_DB_NAME_INVALID'];
                    installLog("ERROR::  {$errors['ERR_DB_MSSQL_DB_NAME']}");
                }
                break;
        }

        // test the account that will talk to the db if we're not creating it
        if( $_SESSION['setup_db_sugarsales_user'] != '' && !$_SESSION['setup_db_create_sugarsales_user'] ){
            $dbconfig["db_user_name"] = $_SESSION['setup_db_sugarsales_user'];
            $dbconfig["db_password"] = $_SESSION['setup_db_sugarsales_password'];
            installLog("Testing user account...");

            // try connecting to the DB
            if(!$db->connect($dbconfig, false)) {
                $error = $db->lastError();
                $errors['ERR_DB_LOGIN_FAILURE'] = $mod_strings['ERR_DB_LOGIN_FAILURE'];
                installLog("ERROR::  {$errors['ERR_DB_LOGIN_FAILURE']}");
            } else {
                installLog("Connection made using  host: {$_SESSION['setup_db_host_name']}, usr: {$_SESSION['setup_db_sugarsales_user']}");
                $db->disconnect();
            }
        }

        // privileged account tests
        if( empty($_SESSION['setup_db_admin_user_name']) ){
            $errors['ERR_DB_PRIV_USER'] = $mod_strings['ERR_DB_PRIV_USER'];
            installLog("ERROR:: {$errors['ERR_DB_PRIV_USER']}");
        } else {
            installLog("Testing priviliged account...");
            $dbconfig["db_user_name"] = $_SESSION['setup_db_admin_user_name'];
            $dbconfig["db_password"] = $_SESSION['setup_db_admin_password'];
            if(!$db->connect($dbconfig, false)) {
                $error = $db->lastError();
                $errors['ERR_DB_LOGIN_FAILURE'] = $mod_strings['ERR_DB_LOGIN_FAILURE'];
                installLog("ERROR::  {$errors['ERR_DB_LOGIN_FAILURE']}");
            } else {
                installLog("Connection made using  host: {$_SESSION['setup_db_host_name']}, usr: {$_SESSION['setup_db_sugarsales_user']}");
                $db_selected = $db->dbExists($_SESSION['setup_db_database_name']);
                if($silent==false && $db_selected && $_SESSION['setup_db_create_database'] && empty($_SESSION['setup_db_drop_tables'])) {

                    // DB exists but user didn't agree to overwrite it
                        $errStr = $mod_strings['ERR_DB_EXISTS_PROCEED'];
                        $errors['ERR_DB_EXISTS_PROCEED'] = $errStr;
                        installLog("ERROR:: {$errors['ERR_DB_EXISTS_PROCEED']}");
                } elseif($silent==false && !$db_selected && !$_SESSION['setup_db_create_database'] ) {

                    // DB does not exist but user did not allow to create it
                        $errors['ERR_DB_EXISTS_NOT'] = $mod_strings['ERR_DB_EXISTS_NOT'];
                        installLog("ERROR:: {$errors['ERR_DB_EXISTS_NOT']}");
                } else {
                    if($db_selected) {
                        installLog("DB Selected, will reuse {$_SESSION['setup_db_database_name']}");
                        if($db->tableExists('config')) {
                           include('sugar_version.php');
                           $versions = $db->getOne("SELECT COUNT(*) FROM config WHERE category='info' AND name='sugar_version' AND VALUE LIKE '$sugar_db_version'");
                           if($versions > 0 && $silent==false) {

                               $errors['ERR_DB_EXISTS_WITH_CONFIG'] = $mod_strings['ERR_DB_EXISTS_WITH_CONFIG'];
                               installLog("ERROR:: {$errors['ERR_DB_EXISTS_WITH_CONFIG']}");
                           }
                        }
                    } else {
                        installLog("DB not selected, will create {$_SESSION['setup_db_database_name']}");
                    }
                    if($_SESSION['setup_db_create_sugarsales_user'] && $_SESSION['setup_db_sugarsales_user'] != '' && $db_selected) {
                        if($db->userExists($_SESSION['setup_db_sugarsales_user'])) {
                            $errors['ERR_DB_USER_EXISTS'] = $mod_strings['ERR_DB_USER_EXISTS'];
                            installLog("ERROR:: {$errors['ERR_DB_USER_EXISTS']}");
                        }
                    }
                }

                // DB SPECIFIC
                $check = $db->canInstall();
                if($check !== true) {
                    $error = array_shift($check);
                    array_unshift($check, $mod_strings[$error]);
                    $errors[$error] = call_user_func_array('sprintf', $check);
                    installLog("ERROR:: {$errors[$error]}");
                } else {
                    installLog("Passed DB install check");
                }

                $db->disconnect();
            }
        }


        if($silent){
            return $errors;
        }else{
            printErrors($errors);
        }
        installLog("End DB Check Process *************");
}

function printErrors($errors ){

global $mod_strings;
    if(count($errors) == 0){
        echo 'dbCheckPassed';
        installLog("SUCCESS:: no errors detected!");
    }else if((count($errors) == 1 && (isset($errors["ERR_DB_EXISTS_PROCEED"])||isset($errors["ERR_DB_EXISTS_WITH_CONFIG"])))  ||
    (count($errors) == 2 && isset($errors["ERR_DB_EXISTS_PROCEED"]) && isset($errors["ERR_DB_EXISTS_WITH_CONFIG"])) ){
        ///throw alert asking to overwwrite db
        echo 'preexeest';
        installLog("WARNING:: no errors detected, but DB tables will be dropped!, issuing warning to user");
    }else{
        installLog("FATAL:: errors have been detected!  User will not be allowed to continue.  Errors are as follow:");
         //print out errors
        $validationErr  = "<p><b>{$mod_strings['ERR_DBCONF_VALIDATION']}</b></p>";
        $validationErr .= '<ul>';

        foreach($errors as $key =>$erMsg){
            if($key != "ERR_DB_EXISTS_PROCEED" && $key != "ERR_DB_EXISTS_WITH_CONFIG"){
                if($_SESSION['dbUSRData'] == 'same' && $key == 'ERR_DB_ADMIN'){
                    installLog(".. {$erMsg}");
                    break;
                }
                $validationErr .= '<li class="error">' . $erMsg . '</li>';
                installLog(".. {$erMsg}");
            }
        }
        $validationErr .= '</ul>';
        $validationErr .= '</div>';

         echo $validationErr;
    }

}


function copyInputsIntoSession(){
            if(isset($_REQUEST['setup_db_type'])){$_SESSION['setup_db_type']                        = $_REQUEST['setup_db_type'];}
            if(isset($_REQUEST['setup_db_admin_user_name'])){$_SESSION['setup_db_admin_user_name']  = $_REQUEST['setup_db_admin_user_name'];}
            if(isset($_REQUEST['setup_db_admin_password'])){$_SESSION['setup_db_admin_password']    = $_REQUEST['setup_db_admin_password'];}
            if(isset($_REQUEST['setup_db_database_name'])){$_SESSION['setup_db_database_name']      = $_REQUEST['setup_db_database_name'];}
            if(isset($_REQUEST['setup_db_host_name'])){$_SESSION['setup_db_host_name']              = $_REQUEST['setup_db_host_name'];}

            //FTS Support
            if (isset($_REQUEST['setup_fts_type'])) {
                $_SESSION['setup_fts_type'] = $_REQUEST['setup_fts_type'];
            }
            if (isset($_REQUEST['setup_fts_host'])) {
                $_SESSION['setup_fts_host'] = $_REQUEST['setup_fts_host'];
            }
            if (isset($_REQUEST['setup_fts_port'])) {
                $_SESSION['setup_fts_port'] = $_REQUEST['setup_fts_port'];
            }

            if(isset($_SESSION['setup_db_type']) && (!isset($_SESSION['setup_db_manager']) || isset($_REQUEST['setup_db_type']))) {
                $_SESSION['setup_db_manager'] = DBManagerFactory::getManagerByType($_SESSION['setup_db_type']);
            }

            if(isset($_REQUEST['setup_db_host_instance'])){
                $_SESSION['setup_db_host_instance'] = $_REQUEST['setup_db_host_instance'];
            }

            if(isset($_REQUEST['setup_db_port_num'])){
                $_SESSION['setup_db_port_num'] = $_REQUEST['setup_db_port_num'];
            }

            // on a silent install, copy values from $_SESSION into $_REQUEST
            if (isset($_REQUEST['goto']) && $_REQUEST['goto'] == 'SilentInstall') {
                if (isset($_SESSION['dbUSRData']) && !empty($_SESSION['dbUSRData']))
                    $_REQUEST['dbUSRData'] = $_SESSION['dbUSRData'];
                else $_REQUEST['dbUSRData'] = 'same';

                if (isset($_SESSION['setup_db_sugarsales_user']) && !empty($_SESSION['setup_db_sugarsales_user']))
                    $_REQUEST['setup_db_sugarsales_user'] = $_SESSION['setup_db_sugarsales_user'];
                else $_REQUEST['dbUSRData'] = 'same';

                $_REQUEST['setup_db_sugarsales_password'] = $_SESSION['setup_db_sugarsales_password'];
                $_REQUEST['setup_db_sugarsales_password_retype'] = $_SESSION['setup_db_sugarsales_password'];
            }

            //make sure we are creating or using provided user for app db connections
            $_SESSION['setup_db_create_sugarsales_user']  = true;//get_boolean_from_request('setup_db_create_sugarsales_user');
            $db = getInstallDbInstance();
            if( !$db->supports("create_user") ){
             //if the DB doesn't support creating users, make the admin user/password same as connecting user/password
              $_SESSION['setup_db_sugarsales_user']             = $_SESSION['setup_db_admin_user_name'];
              $_SESSION['setup_db_sugarsales_password']         = $_SESSION['setup_db_admin_password'];
              $_SESSION['setup_db_sugarsales_password_retype']  = $_SESSION['setup_db_sugarsales_password'];
              $_SESSION['setup_db_create_sugarsales_user']      = false;
              $_SESSION['setup_db_create_database']             = false;

            } else {
            	$_SESSION['setup_db_create_database']             = true;
                //retrieve the value from dropdown in order to know what settings the user
                //wants to use for the sugar db user.

                //use provided db admin by default
                $_SESSION['dbUSRData'] = 'same';

                if(isset($_REQUEST['dbUSRData'])  && !empty($_REQUEST['dbUSRData'])){
                    $_SESSION['dbUSRData'] = $_REQUEST['dbUSRData'];
                }


                  if($_SESSION['dbUSRData'] == 'auto'){
                    //create user automatically
                      $_SESSION['setup_db_create_sugarsales_user']          = true;
                      $_SESSION['setup_db_sugarsales_user']                 = "sugar".create_db_user_creds(5);
                      $_SESSION['setup_db_sugarsales_password']             = create_db_user_creds(10);
                      $_SESSION['setup_db_sugarsales_password_retype']      = $_SESSION['setup_db_sugarsales_password'];
                  }elseif($_SESSION['dbUSRData'] == 'provide'){
                    //use provided user info
                      $_SESSION['setup_db_create_sugarsales_user']          = false;
                      $_SESSION['setup_db_sugarsales_user']                 = $_REQUEST['setup_db_sugarsales_user'];
                      $_SESSION['setup_db_sugarsales_password']             = $_REQUEST['setup_db_sugarsales_password'];
                      $_SESSION['setup_db_sugarsales_password_retype']      = $_REQUEST['setup_db_sugarsales_password_retype'];
                  }elseif($_SESSION['dbUSRData'] == 'create'){
                    // create user with provided info
                      $_SESSION['setup_db_create_sugarsales_user']        = true;
                      $_SESSION['setup_db_sugarsales_user']               = $_REQUEST['setup_db_sugarsales_user'];
                      $_SESSION['setup_db_sugarsales_password']           = $_REQUEST['setup_db_sugarsales_password'];
                      $_SESSION['setup_db_sugarsales_password_retype']    = $_REQUEST['setup_db_sugarsales_password_retype'];
                  }else{
                   //Use the same login as provided admin user
                      $_SESSION['setup_db_create_sugarsales_user']      = false;
                      $_SESSION['setup_db_sugarsales_user']             = $_SESSION['setup_db_admin_user_name'];
                      $_SESSION['setup_db_sugarsales_password']         = $_SESSION['setup_db_admin_password'];
                      $_SESSION['setup_db_sugarsales_retype']           = $_SESSION['setup_db_admin_password'];
                  }
            }

            if(!isset($_SESSION['demoData']) || empty($_SESSION['demoData'])){
                $_SESSION['demoData'] = 'no';
            }
            if(isset($_REQUEST['demoData'])){$_SESSION['demoData'] = $_REQUEST['demoData'] ;}

            if($db->supports('create_db')) {
                if(!empty($_SESSION['setup_db_create_database'])) {
            	// if we're dropping DB, no need to drop tables
                	$_SESSION['setup_db_drop_tables']  = false;
                }
            } else {
                // we can't create DB, so can't drop it
                $_SESSION['setup_db_create_database'] = false;
            }

            if (isset($_REQUEST['goto']) && $_REQUEST['goto'] == 'SilentInstall' && isset($_SESSION['setup_db_drop_tables'])) {
                //set up for Oracle Silent Installer
                $_REQUEST['setup_db_drop_tables'] = $_SESSION['setup_db_drop_tables'] ;
            }
}

////    END PAGEOUTPUT
///////////////////////////////////////////////////////////////////////////////
?>


1			<?php
2			if(!defined('sugarEntry') \|\| !sugarEntry) die('Not A Valid Entry Point');
3			/*********************************************************************************
4			* SugarCRM Community Edition is a customer relationship management program developed by
5			* SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
6
7			* SuiteCRM is an extension to SugarCRM Community Edition developed by Salesagility Ltd.
8			* Copyright (C) 2011 - 2014 Salesagility Ltd.
9			*
10			* This program is free software; you can redistribute it and/or modify it under
11			* the terms of the GNU Affero General Public License version 3 as published by the
12			* Free Software Foundation with the addition of the following permission added
13			* to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
14			* IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
15			* OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
16			*
17			* This program is distributed in the hope that it will be useful, but WITHOUT
18			* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
19			* FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
20			* details.
21			*
22			* You should have received a copy of the GNU Affero General Public License along with
23			* this program; if not, see http://www.gnu.org/licenses or write to the Free
24			* Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
25			* 02110-1301 USA.
26			*
27			* You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
28			* SW2-130, Cupertino, CA 95014, USA. or at email address [email protected].
29			*
30			* The interactive user interfaces in modified source and object code versions
31			* of this program must display Appropriate Legal Notices, as required under
32			* Section 5 of the GNU Affero General Public License version 3.
33			*
34			* In accordance with Section 7(b) of the GNU Affero General Public License version 3,
35			* these Appropriate Legal Notices must retain the display of the "Powered by
36			* SugarCRM" logo and "Supercharged by SuiteCRM" logo. If the display of the logos is not
37			* reasonably feasible for technical reasons, the Appropriate Legal Notices must
38			* display the words "Powered by SugarCRM" and "Supercharged by SuiteCRM".
39			********************************************************************************/
40
41
42
43
44
45			function checkDBSettings($silent=false) {
46
47			installLog("Begin DB Check Process *************");
48			global $mod_strings;
49			$errors = array();
50			copyInputsIntoSession();
51
52			$db = getInstallDbInstance();
53
54			installLog("testing with {$db->dbType}:{$db->variant}");
55
56
57			if( trim($_SESSION['setup_db_database_name']) == '' ){
58			$errors['ERR_DB_NAME'] = $mod_strings['ERR_DB_NAME'];
59			installLog("ERROR:: {$errors['ERR_DB_NAME']}");
60			}
61
62
63			if (!$db->isDatabaseNameValid($_SESSION['setup_db_database_name'])) {
64			$errIdx = 'ERR_DB_' . strtoupper($_SESSION['setup_db_type']) . '_DB_NAME_INVALID';
65			$errors[$errIdx] = $mod_strings[$errIdx];
66			installLog("ERROR:: {$errors[$errIdx]}");
67			}
68
69			if($_SESSION['setup_db_type'] != 'oci8') {
70			// Oracle doesn't need host name, others do
71			if( trim($_SESSION['setup_db_host_name']) == '' ){
72			$errors['ERR_DB_HOSTNAME'] = $mod_strings['ERR_DB_HOSTNAME'];
73			installLog("ERROR:: {$errors['ERR_DB_HOSTNAME']}");
74			}
75			}
76
77			//check to see that password and retype are same, if needed
78			if(!empty($_SESSION['dbUSRData']) && ($_SESSION['dbUSRData']=='create' \|\| $_SESSION['dbUSRData']=='provide'))
79			{
80			if( $_SESSION['setup_db_sugarsales_password'] != $_SESSION['setup_db_sugarsales_password_retype'] ){
81			$errors['ERR_DBCONF_PASSWORD_MISMATCH'] = $mod_strings['ERR_DBCONF_PASSWORD_MISMATCH'];
82			installLog("ERROR:: {$errors['ERR_DBCONF_PASSWORD_MISMATCH']}");
83			}
84			}
85
86			// bail if the basic info isn't valid
87			if( count($errors) > 0 ){
88			installLog("Basic form info is INVALID, exit Process.");
89			return printErrors($errors);
90			} else {
91			installLog("Basic form info is valid, continuing Process.");
92			}
93
94			$dbconfig = array(
95			"db_host_name" => $_SESSION['setup_db_host_name'],
96			"db_host_instance" => $_SESSION['setup_db_host_instance'],
97			);
98
99			if(!empty($_SESSION['setup_db_port_num'])) {
100			$dbconfig["db_port"] = $_SESSION['setup_db_port_num'];
101			} else {
102			$_SESSION['setup_db_port_num'] = '';
103			}
104
105			// Needed for database implementation that do not allow connections to the server directly
106			// and that typically require the manual setup of a database instances such as DB2
107			if(empty($_SESSION['setup_db_create_database'])) {
108			$dbconfig["db_name"] = $_SESSION['setup_db_database_name'];
109			}
110
111			// check database name validation in different database types (default is mssql)
112			switch (strtolower($db->dbType)) {
113
114			case 'mysql':
115			if (preg_match("![/\\.]+!i", $_SESSION['setup_db_database_name']) ) {
116			$errors['ERR_DB_MYSQL_DB_NAME'] = $mod_strings['ERR_DB_MYSQL_DB_NAME_INVALID'];
117			installLog("ERROR:: {$errors['ERR_DB_MYSQL_DB_NAME']}");
118			}
119			break;
120
121			case 'mssql':
122			default:
123			// Bug 29855 - Check to see if given db name is valid
124			if (preg_match("![\"'*/\\?:<>-]+!i", $_SESSION['setup_db_database_name']) ) {
125			$errors['ERR_DB_MSSQL_DB_NAME'] = $mod_strings['ERR_DB_MSSQL_DB_NAME_INVALID'];
126			installLog("ERROR:: {$errors['ERR_DB_MSSQL_DB_NAME']}");
127			}
128			break;
129			}
130
131			// test the account that will talk to the db if we're not creating it
132			if( $_SESSION['setup_db_sugarsales_user'] != '' && !$_SESSION['setup_db_create_sugarsales_user'] ){
133			$dbconfig["db_user_name"] = $_SESSION['setup_db_sugarsales_user'];
134			$dbconfig["db_password"] = $_SESSION['setup_db_sugarsales_password'];
135			installLog("Testing user account...");
136
137			// try connecting to the DB
138			if(!$db->connect($dbconfig, false)) {
139			$error = $db->lastError();
140			$errors['ERR_DB_LOGIN_FAILURE'] = $mod_strings['ERR_DB_LOGIN_FAILURE'];
141			installLog("ERROR:: {$errors['ERR_DB_LOGIN_FAILURE']}");
142			} else {
143			installLog("Connection made using host: {$_SESSION['setup_db_host_name']}, usr: {$_SESSION['setup_db_sugarsales_user']}");
144			$db->disconnect();
145			}
146			}
147
148			// privileged account tests
149			if( empty($_SESSION['setup_db_admin_user_name']) ){
150			$errors['ERR_DB_PRIV_USER'] = $mod_strings['ERR_DB_PRIV_USER'];
151			installLog("ERROR:: {$errors['ERR_DB_PRIV_USER']}");
152			} else {
153			installLog("Testing priviliged account...");
154			$dbconfig["db_user_name"] = $_SESSION['setup_db_admin_user_name'];
155			$dbconfig["db_password"] = $_SESSION['setup_db_admin_password'];
156			if(!$db->connect($dbconfig, false)) {
157			$error = $db->lastError();
158			$errors['ERR_DB_LOGIN_FAILURE'] = $mod_strings['ERR_DB_LOGIN_FAILURE'];
159			installLog("ERROR:: {$errors['ERR_DB_LOGIN_FAILURE']}");
160			} else {
161			installLog("Connection made using host: {$_SESSION['setup_db_host_name']}, usr: {$_SESSION['setup_db_sugarsales_user']}");
162			$db_selected = $db->dbExists($_SESSION['setup_db_database_name']);
163			if($silent==false && $db_selected && $_SESSION['setup_db_create_database'] && empty($_SESSION['setup_db_drop_tables'])) {
			0 ignored issues – show Coding Style Best Practice introduced 2016-03-07 17:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing two booleans. Considering using the strict comparison `===` instead. When comparing two booleans, it is generally considered safer to use the strict comparison operator. Loading history...
164			// DB exists but user didn't agree to overwrite it
165			$errStr = $mod_strings['ERR_DB_EXISTS_PROCEED'];
166			$errors['ERR_DB_EXISTS_PROCEED'] = $errStr;
167			installLog("ERROR:: {$errors['ERR_DB_EXISTS_PROCEED']}");
168			} elseif($silent==false && !$db_selected && !$_SESSION['setup_db_create_database'] ) {
			0 ignored issues – show Coding Style Best Practice introduced 2016-03-07 17:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing two booleans. Considering using the strict comparison `===` instead. When comparing two booleans, it is generally considered safer to use the strict comparison operator. Loading history...
169			// DB does not exist but user did not allow to create it
170			$errors['ERR_DB_EXISTS_NOT'] = $mod_strings['ERR_DB_EXISTS_NOT'];
171			installLog("ERROR:: {$errors['ERR_DB_EXISTS_NOT']}");
172			} else {
173			if($db_selected) {
174			installLog("DB Selected, will reuse {$_SESSION['setup_db_database_name']}");
175			if($db->tableExists('config')) {
176			include('sugar_version.php');
177			$versions = $db->getOne("SELECT COUNT(*) FROM config WHERE category='info' AND name='sugar_version' AND VALUE LIKE '$sugar_db_version'");
178			if($versions > 0 && $silent==false) {
			0 ignored issues – show Coding Style Best Practice introduced 2016-03-07 17:58 UTC by Report Bug Copy Issue Report Show Similar Issues like this It seems like you are loosely comparing two booleans. Considering using the strict comparison `===` instead. When comparing two booleans, it is generally considered safer to use the strict comparison operator. Loading history...
179			$errors['ERR_DB_EXISTS_WITH_CONFIG'] = $mod_strings['ERR_DB_EXISTS_WITH_CONFIG'];
180			installLog("ERROR:: {$errors['ERR_DB_EXISTS_WITH_CONFIG']}");
181			}
182			}
183			} else {
184			installLog("DB not selected, will create {$_SESSION['setup_db_database_name']}");
185			}
186			if($_SESSION['setup_db_create_sugarsales_user'] && $_SESSION['setup_db_sugarsales_user'] != '' && $db_selected) {
187			if($db->userExists($_SESSION['setup_db_sugarsales_user'])) {
188			$errors['ERR_DB_USER_EXISTS'] = $mod_strings['ERR_DB_USER_EXISTS'];
189			installLog("ERROR:: {$errors['ERR_DB_USER_EXISTS']}");
190			}
191			}
192			}
193
194			// DB SPECIFIC
195			$check = $db->canInstall();
196			if($check !== true) {
197			$error = array_shift($check);
198			array_unshift($check, $mod_strings[$error]);
199			$errors[$error] = call_user_func_array('sprintf', $check);
200			installLog("ERROR:: {$errors[$error]}");
201			} else {
202			installLog("Passed DB install check");
203			}
204
205			$db->disconnect();
206			}
207			}
208
209
210			if($silent){
211			return $errors;
212			}else{
213			printErrors($errors);
214			}
215			installLog("End DB Check Process *************");
216			}
217
218			function printErrors($errors ){
219
220			global $mod_strings;
221			if(count($errors) == 0){
222			echo 'dbCheckPassed';
223			installLog("SUCCESS:: no errors detected!");
224			}else if((count($errors) == 1 && (isset($errors["ERR_DB_EXISTS_PROCEED"])\|\|isset($errors["ERR_DB_EXISTS_WITH_CONFIG"]))) \|\|
225			(count($errors) == 2 && isset($errors["ERR_DB_EXISTS_PROCEED"]) && isset($errors["ERR_DB_EXISTS_WITH_CONFIG"])) ){
226			///throw alert asking to overwwrite db
227			echo 'preexeest';
228			installLog("WARNING:: no errors detected, but DB tables will be dropped!, issuing warning to user");
229			}else{
230			installLog("FATAL:: errors have been detected! User will not be allowed to continue. Errors are as follow:");
231			//print out errors
232			$validationErr = "<p><b>{$mod_strings['ERR_DBCONF_VALIDATION']}</b></p>";
233			$validationErr .= '<ul>';
234
235			foreach($errors as $key =>$erMsg){
236			if($key != "ERR_DB_EXISTS_PROCEED" && $key != "ERR_DB_EXISTS_WITH_CONFIG"){
237			if($_SESSION['dbUSRData'] == 'same' && $key == 'ERR_DB_ADMIN'){
238			installLog(".. {$erMsg}");
239			break;
240			}
241			$validationErr .= '<li class="error">' . $erMsg . '</li>';
242			installLog(".. {$erMsg}");
243			}
244			}
245			$validationErr .= '</ul>';
246			$validationErr .= '</div>';
247
248			echo $validationErr;
249			}
250
251			}
252
253
254			function copyInputsIntoSession(){
255			if(isset($_REQUEST['setup_db_type'])){$_SESSION['setup_db_type'] = $_REQUEST['setup_db_type'];}
256			if(isset($_REQUEST['setup_db_admin_user_name'])){$_SESSION['setup_db_admin_user_name'] = $_REQUEST['setup_db_admin_user_name'];}
257			if(isset($_REQUEST['setup_db_admin_password'])){$_SESSION['setup_db_admin_password'] = $_REQUEST['setup_db_admin_password'];}
258			if(isset($_REQUEST['setup_db_database_name'])){$_SESSION['setup_db_database_name'] = $_REQUEST['setup_db_database_name'];}
259			if(isset($_REQUEST['setup_db_host_name'])){$_SESSION['setup_db_host_name'] = $_REQUEST['setup_db_host_name'];}
260
261			//FTS Support
262			if (isset($_REQUEST['setup_fts_type'])) {
263			$_SESSION['setup_fts_type'] = $_REQUEST['setup_fts_type'];
264			}
265			if (isset($_REQUEST['setup_fts_host'])) {
266			$_SESSION['setup_fts_host'] = $_REQUEST['setup_fts_host'];
267			}
268			if (isset($_REQUEST['setup_fts_port'])) {
269			$_SESSION['setup_fts_port'] = $_REQUEST['setup_fts_port'];
270			}
271
272			if(isset($_SESSION['setup_db_type']) && (!isset($_SESSION['setup_db_manager']) \|\| isset($_REQUEST['setup_db_type']))) {
273			$_SESSION['setup_db_manager'] = DBManagerFactory::getManagerByType($_SESSION['setup_db_type']);
274			}
275
276			if(isset($_REQUEST['setup_db_host_instance'])){
277			$_SESSION['setup_db_host_instance'] = $_REQUEST['setup_db_host_instance'];
278			}
279
280			if(isset($_REQUEST['setup_db_port_num'])){
281			$_SESSION['setup_db_port_num'] = $_REQUEST['setup_db_port_num'];
282			}
283
284			// on a silent install, copy values from $_SESSION into $_REQUEST
285			if (isset($_REQUEST['goto']) && $_REQUEST['goto'] == 'SilentInstall') {
286			if (isset($_SESSION['dbUSRData']) && !empty($_SESSION['dbUSRData']))
287			$_REQUEST['dbUSRData'] = $_SESSION['dbUSRData'];
288			else $_REQUEST['dbUSRData'] = 'same';
289
290			if (isset($_SESSION['setup_db_sugarsales_user']) && !empty($_SESSION['setup_db_sugarsales_user']))
291			$_REQUEST['setup_db_sugarsales_user'] = $_SESSION['setup_db_sugarsales_user'];
292			else $_REQUEST['dbUSRData'] = 'same';
293
294			$_REQUEST['setup_db_sugarsales_password'] = $_SESSION['setup_db_sugarsales_password'];
295			$_REQUEST['setup_db_sugarsales_password_retype'] = $_SESSION['setup_db_sugarsales_password'];
296			}
297
298			//make sure we are creating or using provided user for app db connections
299			$_SESSION['setup_db_create_sugarsales_user'] = true;//get_boolean_from_request('setup_db_create_sugarsales_user');
300			$db = getInstallDbInstance();
301			if( !$db->supports("create_user") ){
302			//if the DB doesn't support creating users, make the admin user/password same as connecting user/password
303			$_SESSION['setup_db_sugarsales_user'] = $_SESSION['setup_db_admin_user_name'];
304			$_SESSION['setup_db_sugarsales_password'] = $_SESSION['setup_db_admin_password'];
305			$_SESSION['setup_db_sugarsales_password_retype'] = $_SESSION['setup_db_sugarsales_password'];
306			$_SESSION['setup_db_create_sugarsales_user'] = false;
307			$_SESSION['setup_db_create_database'] = false;
308
309			} else {
310			$_SESSION['setup_db_create_database'] = true;
311			//retrieve the value from dropdown in order to know what settings the user
312			//wants to use for the sugar db user.
313
314			//use provided db admin by default
315			$_SESSION['dbUSRData'] = 'same';
316
317			if(isset($_REQUEST['dbUSRData']) && !empty($_REQUEST['dbUSRData'])){
318			$_SESSION['dbUSRData'] = $_REQUEST['dbUSRData'];
319			}
320
321
322			if($_SESSION['dbUSRData'] == 'auto'){
323			//create user automatically
324			$_SESSION['setup_db_create_sugarsales_user'] = true;
325			$_SESSION['setup_db_sugarsales_user'] = "sugar".create_db_user_creds(5);
326			$_SESSION['setup_db_sugarsales_password'] = create_db_user_creds(10);
327			$_SESSION['setup_db_sugarsales_password_retype'] = $_SESSION['setup_db_sugarsales_password'];
328			}elseif($_SESSION['dbUSRData'] == 'provide'){
329			//use provided user info
330			$_SESSION['setup_db_create_sugarsales_user'] = false;
331			$_SESSION['setup_db_sugarsales_user'] = $_REQUEST['setup_db_sugarsales_user'];
332			$_SESSION['setup_db_sugarsales_password'] = $_REQUEST['setup_db_sugarsales_password'];
333			$_SESSION['setup_db_sugarsales_password_retype'] = $_REQUEST['setup_db_sugarsales_password_retype'];
334			}elseif($_SESSION['dbUSRData'] == 'create'){
335			// create user with provided info
336			$_SESSION['setup_db_create_sugarsales_user'] = true;
337			$_SESSION['setup_db_sugarsales_user'] = $_REQUEST['setup_db_sugarsales_user'];
338			$_SESSION['setup_db_sugarsales_password'] = $_REQUEST['setup_db_sugarsales_password'];
339			$_SESSION['setup_db_sugarsales_password_retype'] = $_REQUEST['setup_db_sugarsales_password_retype'];
340			}else{
341			//Use the same login as provided admin user
342			$_SESSION['setup_db_create_sugarsales_user'] = false;
343			$_SESSION['setup_db_sugarsales_user'] = $_SESSION['setup_db_admin_user_name'];
344			$_SESSION['setup_db_sugarsales_password'] = $_SESSION['setup_db_admin_password'];
345			$_SESSION['setup_db_sugarsales_retype'] = $_SESSION['setup_db_admin_password'];
346			}
347			}
348
349			if(!isset($_SESSION['demoData']) \|\| empty($_SESSION['demoData'])){
350			$_SESSION['demoData'] = 'no';
351			}
352			if(isset($_REQUEST['demoData'])){$_SESSION['demoData'] = $_REQUEST['demoData'] ;}
353
354			if($db->supports('create_db')) {
355			if(!empty($_SESSION['setup_db_create_database'])) {
356			// if we're dropping DB, no need to drop tables
357			$_SESSION['setup_db_drop_tables'] = false;
358			}
359			} else {
360			// we can't create DB, so can't drop it
361			$_SESSION['setup_db_create_database'] = false;
362			}
363
364			if (isset($_REQUEST['goto']) && $_REQUEST['goto'] == 'SilentInstall' && isset($_SESSION['setup_db_drop_tables'])) {
365			//set up for Oracle Silent Installer
366			$_REQUEST['setup_db_drop_tables'] = $_SESSION['setup_db_drop_tables'] ;
367			}
368			}
369
370			//// END PAGEOUTPUT
371			///////////////////////////////////////////////////////////////////////////////
372			?>
373

adamjakab / SuiteCRM

Issues (4069)

Security Analysis not enabled

install/checkDBSettings.php (3 issues)

Labels

Severity

Introduced By

Upgrade to new PHP Analysis Engine

Duplication Side-by-Side

Filter issues like