Uploaded image for project: 'phpBB3'
  1. phpBB3
  2. PHPBB3-13251

Database password containing special characters no longer accepted after upgrade to 3.1.0

    Details

    • Type: Bug
    • Status: Unverified Fix
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.1.0
    • Fix Version/s: 3.1.2-RC1
    • Component/s: None
    • Labels:
      None
    • Environment:
      PHP Version 5.5.14
      MySQL server 5.5.37-cll
      mysqli client API: 5.5.37
      Apache/2.2.27
      OS: CentOS 6.5

      Description

      Hello,

      I've discovered that a character or set of characters within password of my phpBB database user lead to access denied SQL failure, after phpBB displays the initial phpBB page successfully.

      Then, I've manually emptied cache/ folder, and was able to display one forum page successfully, before getting the SQL access denied message.

      Once, I've changed password – the problem goes away.
      I was able to reproduce the problem by reverting to the original password.

      Please note, that the original password did not cause any problem for phpBB 3.0.12.

      Database: MySQL using mysqli interface.
      The problematic password is "Lh3oy9Qi%%^4" (excluding double quotes).

      Thank you.

      P.S. I've reported the issue on the support forum first:
      https://www.phpbb.com/community/viewtopic.php?f=466&t=2269671

        Issue Links

          Activity

          Hide
          spider2012 spider2012 added a comment -

          Please take a look at this post for further diagnostic information:

          https://www.phpbb.com/community/viewtopic.php?f=466&t=2269671&p=13777161#p13777066

          Show
          spider2012 spider2012 added a comment - Please take a look at this post for further diagnostic information: https://www.phpbb.com/community/viewtopic.php?f=466&t=2269671&p=13777161#p13777066
          Hide
          T0ny T0ny added a comment -

          The issue appears to be due to the symphony class PhpDumper performing interpolation on the strings processed by the dumpValue() method. That is, it attempts to replace placeholders of the form %parameter% with the relevant parameter value.

          e.g. if you create a database password like $dbpasswd = 'xx%FOO%xx'; you will get the error:

          The service "dbal.conn.driver" has a dependency on a non-existent parameter "foo"

          Because the percentage sign is the delimiter for these placeholders a percentage sign that isn't part of a placeholder must be escaped (%%). PhpDumper assumes this has been done and will replace it with a single percentage sign which was the cause of the OPs problem

          Show
          T0ny T0ny added a comment - The issue appears to be due to the symphony class PhpDumper performing interpolation on the strings processed by the dumpValue() method. That is, it attempts to replace placeholders of the form %parameter% with the relevant parameter value. e.g. if you create a database password like $dbpasswd = 'xx%FOO%xx'; you will get the error: The service "dbal.conn.driver" has a dependency on a non-existent parameter "foo" Because the percentage sign is the delimiter for these placeholders a percentage sign that isn't part of a placeholder must be escaped ( %% ). PhpDumper assumes this has been done and will replace it with a single percentage sign which was the cause of the OPs problem

            People

            • Assignee:
              prototech prototech
              Reporter:
              spider2012 spider2012
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development