Fix for [ 988901 ] (install) database password not escaped in LocalSettings.php

addslashes() is not quite correct for PHP double-quoted string literals.
Created an escapePhpString() function which should cover the right bits.
See http://www.php.net/manual/en/language.types.string.php#language.types.string.syntax.double

diff --git a/config/index.php b/config/index.php
index eafe930..e6fb49c 100644 (file)
--- a/config/index.php
+++ b/config/index.php
@@ -731,6 +731,18 @@ function writeAdminSettings( $conf ) {
 ";
 }
 
+function escapePhpString( $string ) {
+       return strtr( $string,
+               array(
+                       "\n" => "\\n",
+                       "\r" => "\\r",
+                       "\t" => "\\t",
+                       "\\" => "\\\\",
+                       "\$" => "\\\$",
+                       "\"" => "\\\""
+               ));
+}
+
 function writeLocalSettings( $conf ) {
        $conf->DBmysql4 = @$conf->DBmysql4 ? 'true' : 'false';
        $conf->UseImageResize = $conf->UseImageResize ? 'true' : 'false';
@@ -761,7 +773,7 @@ function writeLocalSettings( $conf ) {
        }
 
        # Add slashes to strings for double quoting
-       $slconf = array_map( "addslashes", get_object_vars( $conf ) );
+       $slconf = array_map( "escapePhpString", get_object_vars( $conf ) );
 
 
        $sep = (DIRECTORY_SEPARATOR == "\\") ? ";" : ":";