From 9fe23798665e2bbe2a55c6125f7329048aa45165 Mon Sep 17 00:00:00 2001 From: Sebi94nbg Date: Sun, 9 Jul 2023 17:40:24 +0200 Subject: [PATCH] Reduce necessary database privileges - Avoid the usage of "SHOW DATABASES" as this requires global privileges, which a restricted database user will not have in best case. The application should not be potentially able to see other databases on the host. - Avoid the usage of "DROP DATABASE" as an application should never delete itself. This also ensures, that the application does not accidently delete all data. - "CREATE DATABASE" only if it not exists yet. This ensures, that the application can create the database, if it does not exist yet, but it will not fail, if it already exists. - If the database already has the necessary tables, the following SQL statements will fail, so the "if database exists" check is not necessary. --- install.php | 16 +++------------- 1 file changed, 3 insertions(+), 13 deletions(-) diff --git a/install.php b/install.php index c244bd3..b57e1e4 100644 --- a/install.php +++ b/install.php @@ -79,18 +79,8 @@ function install($type, $host, $user, $pass, $dbname, $lang, $mysqlcon, &$err_ms $err_lvl = 2; } else { $count = 1; - $stmt = $mysqlcon->query('SHOW DATABASES'); - while ($row = $stmt->fetch(PDO::FETCH_ASSOC)) { - if ($row['Database'] == $dbname) { - $dbExists = true; - break; - } - } - if ($dbExists) { - if(($mysqlcon->exec("DROP DATABASE `$dbname`")) === false) { } - } - - if($mysqlcon->exec("CREATE DATABASE `$dbname`") === false) { + + if($mysqlcon->exec("CREATE DATABASE IF NOT EXISTS `$dbname`") === false) { $err_msg .= $lang['isntwidbmsg'].$mysqlcon->errorCode()." ".print_r($mysqlcon->errorInfo(), true).'
'; $err_lvl = 2; $count++; } @@ -1072,4 +1062,4 @@ function install($type, $host, $user, $pass, $dbname, $lang, $mysqlcon, &$err_ms }); - \ No newline at end of file +