Ticket #13839: 13839.6.diff

wp-admin/setup-config.php

@@ -51 +51 @@
 
 require_once(ABSPATH . WPINC . '/compat.php');
 require_once(ABSPATH . WPINC . '/class-wp-error.php');
+require_once(ABSPATH . WPINC . '/formatting.php');
 
 if ( ! file_exists( ABSPATH . 'wp-config-sample.php' ) )
         wp_die( __( 'Sorry, I need a wp-config-sample.php file to work from. Please re-upload this file from your WordPress installation.' ) );
@@ -152 +153 @@
         break;
 
         case 2:
-        $dbname  = trim($_POST['dbname']);
-        $uname   = trim($_POST['uname']);
-        $passwrd = trim($_POST['pwd']);
-        $dbhost  = trim($_POST['dbhost']);
-        $prefix  = trim($_POST['prefix']);
-        if ( empty($prefix) )
-                $prefix = 'wp_';
+        // Turn register_globals off.
+        wp_unregister_GLOBALS();
 
-        // Validate $prefix: it can only contain letters, numbers and underscores
+        // Add magic quotes.
+        wp_magic_quotes();
+
+        foreach ( array( 'dbname', 'uname', 'pwd', 'dbhost', 'prefix' ) as $key )
+                $$key = trim( stripslashes( $_POST[ $key ] ) );
+
+        $tryagain_link = '</p><p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button">' . __( 'Try Again' ) . '</a>';
+
+        if ( empty( $prefix ) )
+                wp_die( __( '<strong>ERROR</strong>: "Table Prefix" must not be empty.' . $tryagain_link ) );
+
+        // Validate $prefix: it can only contain letters, numbers and underscores.
         if ( preg_match( '|[^a-z0-9_]|i', $prefix ) )
-                wp_die( __( '<strong>ERROR</strong>: "Table Prefix" can only contain numbers, letters, and underscores.' ) );
+                wp_die( __( '<strong>ERROR</strong>: "Table Prefix" can only contain numbers, letters, and underscores.' . $tryagain_link ) );
 
         // Test the db connection.
         /**#@+
@@ -170 +177 @@
          */
         define('DB_NAME', $dbname);
         define('DB_USER', $uname);
-        define('DB_PASSWORD', $passwrd);
+        define('DB_PASSWORD', $pwd);
         define('DB_HOST', $dbhost);
         /**#@-*/
 
         // We'll fail here if the values are no good.
         require_wp_db();
-        if ( ! empty( $wpdb->error ) ) {
-                $back = '<p class="step"><a href="setup-config.php?step=1" onclick="javascript:history.go(-1);return false;" class="button">' . __( 'Try Again' ) . '</a></p>';
-                wp_die( $wpdb->error->get_error_message() . $back );
-        }
+        if ( ! empty( $wpdb->error ) )
+                wp_die( $wpdb->error->get_error_message() . $tryagain_link );
 
         // Fetch or generate keys and salts.
         $no_api = isset( $_POST['noapi'] );
@@ -213 +218 @@
         $key = 0;
         foreach ( $config_file as &$line ) {
                 if ( '$table_prefix  =' == substr( $line, 0, 16 ) ) {
-                        $line = '$table_prefix  = \'' . $prefix . "';\r\n";
+                        $line = '$table_prefix  = \'' . addcslashes( $prefix, "\\'" ) . "';\r\n";
                         continue;
                 }
 
@@ -228 +233 @@
                         case 'DB_USER'     :
                         case 'DB_PASSWORD' :
                         case 'DB_HOST'     :
-                                $line = "define('" . $constant . "'," . $padding . "'" . constant( $constant ) . "');\r\n";
+                                $line = "define('" . $constant . "'," . $padding . "'" . addcslashes( constant( $constant ), "\\'" ) . "');\r\n";
                                 break;
                         case 'AUTH_KEY'         :
                         case 'SECURE_AUTH_KEY'  :