[Xerte] Toolkits - random suggestions/changes (feedback from install)

David Goodwin david at palepurple.co.uk
Wed Dec 3 16:23:42 GMT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,


When ever I run 'setup/page2.php' I run into SQL problems -- as a
suggestion, could you change the basic.sql file to add some "DROP TABLE
IF EXISTS ...." (so there is no "duplicate key exists" errors when
trying to insert the same data into a table), and it won't therefore
fail to create a table that already exists...

So if the script is run twice (after encountering a problem) it doesn't
fail.

In my situation, the MySQL user I enter on page1 has rights to create a
database etc - but DOESN'T have rights to connect to the 'mysql'
database.... therefore page2(?) fails when it tries to query the mysql
table to find out access permissions.


I also make the following changes to 'demo.php' (which is renamed to
login.php - it would be helpful if the final setup page said what to
rename demo.txt to) :

- --- demo.txt	2008-11-28 14:26:56.000000000 +0000
+++ login.php	2008-12-03 15:58:37.000000000 +0000
@@ -18,7 +18,7 @@

 	$_SESSION['firstname'] = "Guest";
 				
- -	$x = rand(1,10) * rand(1,10);
+	//$x = rand(1,10) * rand(1,10);

 	$_SESSION['surname'] = $x;

@@ -28,7 +28,7 @@

 	$mysql_id=database_connect("index.php database connect
success","index.php database connect fail");			

- -	$_SESSION['login_ldap'] = "Guest" . $x;
+	$_SESSION['login_ldap'] = "GuestUser";

 	if(check_if_first_time($_SESSION['login_ldap'])){

@@ -59,4 +59,4 @@
 	echo file_get_contents($site->website_code_path . "management_bottom");	

 ?>
- -			
\ No newline at end of file
+			

And then configure Apache to require authentication for login.php. Is
this an acceptable means of securing Xerte so only authenticated users
can create new stuff?)



Finally, I'd suggest you change /index.php so that :

a) If the setup directory exists, it redirects you to it
b) If config.php exists, and setup directory exists it aborts with some
useful error message telling the administrator to delete the directory
as it shouldn't be there (this would presumably be a security flaw if
left accessible?)

Thanks
David.

- --
 David Goodwin                          Pale Purple Limited
 Office: 0845 0046746                   Mobile: 07792380669
 http://www.palepurple.co.uk            Company No: 5580814
 'Business Web Application Development and Training in PHP'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJNrKN/ISo3RF5V6YRAjhqAJ4g8UF9A4qZ1/tmrDUFEjDt0GyqLACeKjnc
/7Uj/O6wPnFD2Ibmul1tZFY=
=KapY
-----END PGP SIGNATURE-----

More information about the Xerte mailing list