Vanilla 1 is no longer supported or maintained. If you need a copy, you can get it here.
HackerOne users: Testing against this community violates our program's Terms of Service and will result in your bounty being denied.

Blank Database Password Bug

edited July 2006 in Vanilla 1.0 Help
I thought I'd give vanilla a try on my local test server (using WAMP). By default, WAMP uses a blank password for the root account.

When I went through installing vanilla, it worked okay and used the blank password which I did not put.

However, after the installation, when I tried to login I get the following error:
Access denied for user 'root'@'localhost' (using password: YES)

So, I looked into your code to try to analyze what was going on. Apparently, here's what happening:
When testing the connection in installer.php it correctly uses the password supplied however I noticed that if the password is blank, it does not save it in conf/database.php like it's supposed to.

Here's what my complete file looks like:
<?php // Database Configuration Settings $Configuration['DATABASE_HOST'] = 'localhost'; $Configuration['DATABASE_NAME'] = 'vanilla'; $Configuration['DATABASE_USER'] = 'root'; ?>

Well, so now because appg/settings.php contains the following line:
$Configuration['DATABASE_PASSWORD'] = 'your_vanilla_database_password';
This is what gets set as the password since there is no line in conf/database.php that overwrites this.

So that's why I get the access denied error above.

Oh, and for those of you who may have the same problem and don't know how to fix this, just add the following line to your conf/database.php:
$Configuration['DATABASE_PASSWORD'] = '';


  • Options
    lechlech Chicagoland
    I think I'm stating the obvious here when I say that using root with a blank password is a bad idea. Even though understandably it's a local setup, you want to lock that account down with a password and only use it to create and modify new users & db's. It's just good practice :)
  • Options
    I agree with you lech, but the issue is still there. :)
  • Options
    lechlech Chicagoland
    yeah, It's a hint saying "hey, you're not only using ROOT, but you're using it with a BLANK PASSWORD" so that's like, double bad.
  • Options
    Well, yeah, I already knew that it's EXTREMELY unsecure and EXTREMELY bad. This is not something that I do for my production server, just for my testing server. Anyways, if my testing server's access to the network is restricted, I don't worry too much about it.

    The only reason I mentioned this was because of the fact that the bug exists.
This discussion has been closed.