Hi Im coding a installer, anyhow .. ive ran into trouble when it.. creates the global.php file, the $mysql_ connection does not show up in file while everything else does?
I'm trying to insert this
$mysql_host = 'localhost';
$mysql_user = 'root';
$mysql_name = '-----';
$mysql_pass = '-----';
in the global.php it comes out with:
= 'localhost';
= 'root';
= '-----';
= '-----';
Notice $mysql_ missing?
This is the code in the installer:
$db_name = trim($_POST['db_name']);
$db_user = trim($_POST['db_user']);
$db_pass = trim($_POST['db_pass']);
$db_host = trim($_POST['db_host']);
$handle = fopen($setting['config']['folder'] . $setting['config']['file'], 'w');
$input = "<?php
$mysql_host = '".$db_host."';
$mysql_user = '".$db_user."';
$mysql_name = '".$db_name."';
$mysql_pass = '".$db_pass."';
?>
";
fwrite($handle, $input);
fclose($handle);
Can someone help? Thanks
$input = "<?php
\$mysql_host = '$db_host';
\$mysql_user = '$db_user';
\$mysql_name = '$db_name';
\$mysql_pass = '$db_pass';
?>";
In double quoted strings $ sign is like concatenation. If you want insert dollar sign in a string you should escape it with \ backslash.
Since you're using double-quotes in the string, PHP will interpret variable names it sees in the string, and output the value of the variable rather than the variable name.
This is a php feature intended to allow you to embed variables inside a string without having to open and close the string repeatedly. Ironically, that's exactly what you're doing with your actual PHP variables.
You have two options:
Switch to using single quotes for the string. This will work exactly as you have it.
Keep using double quotes, but escape the $ symbol with a backslash where you don't want PHP to interpret it.
If you do keep using double-quotes, you also have the option as I said to embed your variables in the string, so you don't need to keep opening and closing the quotes. In this case, your code would look like this:
$input = "<?php
\$mysql_host = '{$db_host}';
\$mysql_user = '{$db_user}';
\$mysql_name = '{$db_name}';
\$mysql_pass = '{$db_pass}';
?>
";
One other thing you need to be aware of though: You're not escaping the $db_xx variables when you read them from $_POST. This means, for example, that if the user has a name or password with a quote character in it, it will result in invalid PHP code being generated.
Furthermore, it would be possible for the user to use this error as a technique to inject arbitrary PHP code into the system. Although this script is clearly intended for use only when setting up the system in the first place, this is a major security flaw in your code which should be corrected.