Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Small Bug on installation when blank DB Password

Congrats for releasing 1.0!
I just installed a brand new copy of vanilla 1.0 release and found this small bug. If you leave the field for the database password on installation blank (cause you have not set a password for your database)
$Configuration['DATABASE_PASSWORD'] = 'your_vanilla_database_password';
form appg/settings.php will be used as password.

I recommend to write
$Configuration['DATABASE_PASSWORD'] = '';
to conf/database.php ..

Comments

  • MarkMark Vanilla Staff
    It's funny, but that's something that has always been a peeve of mine - how mysql comes with a password-less user by default. I don't think anyone should ever leave their mysql db without a password on it. It's always the first thing I do - removing that user or applying a password to the account.

    Either way, I'm glad you figured out how to get around it...
  • I had this same problem when installing Vanilla on my local dev machine w/ the localhost/root MySQL settings. I found the problem right away, but someone new to Vanilla may get discouraged if the first thing they see is an error message after that awesome installation process. Maybe it could be documented somewhere? Or simply fixed as a small bug?
  • I understand Mark, that is irritating the no password option...
    but still your installer will fail with that setting....
    this a little cloud in the middle of a crystal clear sky, and some will not have the beautiful sun that offers vanilla,
    so my point is why don't give them also a little bit of sun ;)

    my 2C
  • lechlech Chicagoland
    From my experience, it's clearly stated in the mySQL docs and even during most installations that mySQL is not fully configured or secure until YOU create the accounts with password. Most server packages strongly recommend you take that small extra step to ensure that your accounts are made safe before and after. The reason why mySQL doesn't do this for you is beyond my comprehension. But if I had to guess, they obviously want you to take the initiative and set it up for yourself while learning a thing or two. But agreed they should generate something at runtime instead of leaving the doors wide open.

    In any case, consider it a good thing that Vanilla partially refuses to set up on an server which is not configured properly. Even if it is a local installation as localhost being the server it's good to have accounts and passwords. Otherwise it's like having a house in a neighborhood without any locks or security, because at any given moment no matter how good you may think the neighborhood is anyone can just barge in and take over unexpectedly or worse.

    If anything, more warning flags should be raised so that users who do manage to install Vanilla under blank user names and passwords are reminded to get things sorted out before the warnings are allowed to go away. It's only common sense to practice security in this matter, because if you decide it's wise to have users without passwords and someone does discover a flaw int he software and abuses it, it's only made easier because you forgot to add a password to the database.
  • don't get me wrong...
    I'm not saying that having no password is good, I'm only saying that if you leave a blank password during installation process... you will get an error...
    so IMO the correct thing should be a warning when users leave a blank password saying for example "we strongly recommend to use password" or "in order to use vanilla you must set up a password" or whatever....
    but the end user should not be left with a generic error, IMHO.
    ;)
  • lechlech Chicagoland
    Yeah, well at least it tosses a nice albeit slightly generic error unlike other apps which are far more of the cryptic sort :) But yeah, since users can still bypass that with a little tinkering, an annoying configuration flag like $Configuration['DB_PASSISBLANK'] = '1'; could also be added to constantly alert the administrative user that their DB password is blank with a short message indicating they create a password. That's still optional though.

    For now I think a conditional error should be displayed with a more descriptive error message if the password is "your_vanilla_database_password" or "".
This discussion has been closed.