• Advertisement
Sign in to follow this  
  • entries
  • comments
  • views


Sign in to follow this  


I havent had the time nor the motivation to work on my CMS in recent months. Today I had some time to spare so I picked it up again.

One of the parts that was holding me back before was the creation of an installation script that would get information from the user about the address of the database, its username and password, and some information to create the admin account so today my project was to create that page.

In the process I discovered that there were some problems in my database classes. I cannot use mysql_real_escape_string() on the query as a whole - it needs to be done on individual parameters. I updated Query() and added a new function EscapeString()

// Escapes a string to protect against SQL injection
function EscapeString($str) {
if (!is_numeric($str))
return mysql_real_escape_string($str, $this->link);
return $str;

// Performs a query
// It is assumed that the query is safe
function Query($query) {
$result = mysql_query($query, $this->link);

if (!$result) {
$this->error = mysql_error();
return false;
} else {
$this->error = '';
return new QueryResult($result, $this->link);

I also made some changes to the QueryResult class to prevent the warnings that come up when $result comes from a query like UPDATE or INSERT.

I fixed a bug in RegisterUser() in which I wasnt quoting the hash of the password or the join date and sometime during my period of not posting I switched from using MD5 to hash the password to SHA1.

Here is my installation script:

* Title: Installation
* Author: Colin Jeanne (http://colinjeanne.net)
* Date: May 23, 2005
* Description:
* Gets information to access the database
* Creates cms-settings.php and tables for modules and users

PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

CMS Installation

if (isset($_POST['action'])) {
// The form was submitted

$f = fopen('cms-settings.php', 'wt');

if ($f === false)
exit("Could not open cms-settings.php for write access");

// Attempt to write necessary variables to cms-settings.php
if (fputs($f, ") === false)
exit("Could not write to cms-settings.php");

if (fputs($f, ' $dbserver = \'' . $_POST['dbserver'] .
"';\n") === false) {
exit("Could not write to cms-settings.php");

if (fputs($f, ' $dbusername = \'' . $_POST['dbusername'] .
"';\n") === false) {
exit("Could not write to cms-settings.php");

if (fputs($f, ' $dbpassword = \'' . $_POST['dbpassword'] .
"';\n") === false) {
exit("Could not write to cms-settings.php");

if (fputs($f, ' $dbname = \'' . $_POST['dbname'] . "';\n") === false)
exit("Could not write to cms-settings.php");

if (fputs($f, "?>\n") === false)
exit("Could not write to cms-settings.php");


// Load the database class (which loads the newly created
// cms-settings.php) and create the central user table and the module
// registration table

$db = new Database;

if ($db->error != '')
exit("Could not connect to database");

$result = $db->CreateTable('admin', 'Users',
'Name VARCHAR(25), ' .
'Password CHAR(40), ' .
'Email VARCHAR(255), ' .
'JoinDate DATE DEFAULT \'0000-00-00\', ' .
'Type ENUM(\'Admin\', \'Peon\') ' .
'DEFAULT \'Peon\')');

if ($result == false) {
exit("Could not create user table: $db->error");


$result = $db->CreateTable('admin', 'Registered',
'Path VARCHAR(255), ' .
'Frontpage BOOL DEFAULT \'FALSE\')');

if ($result == false) {
exit("Could not create modules table: $db->error");


// Load the administration functions and register this as the admin
// module

if (RegisterModule('admin', 'admin.php') === false)
exit("Could not register admin module");

// Load the central user database functions in order to register the
// administrator

if (RegisterUser($_POST['username'], $_POST['password'],
$_POST['email'], 'Admin') === false) {
exit("Could not register administrator account");

print "Installation successful";
} else {
// Output installation form
"install.php" method="post">

"text" name="dbserver" id="dbserver" />

"text" name="dbusername" id="dbusername" />

"text" name="dbpassword" id="dbpassword" />

"text" name="dbname" id="dbname" />

"text" name="username" id="username" />

"text" name="password" id="password" />

"text" name="email" id="email" />

"hidden" name="action" id="action" value="action" />
"submit" value="Install" />


Sign in to follow this  


Recommended Comments

There are no comments to display.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Advertisement