[development] Temporary database credentials

Piotr Krukowiecki piotr at mallorn.ii.uj.edu.pl
Thu Jan 26 22:03:45 UTC 2006

On Tue, Jan 24, 2006 at 03:48:19PM -0500, Moshe Weitzman wrote:
> Interesting. Perhaps we should let users specify a different $db_url in 
> settings.php that is used while updating. If not specified, we use the 
> usual $db_url. How about this pseudo-code in update.php?
> global $user, $db_url, $db_url_updating
> if ($user->uid == 1) {
>   $db_url = $db_url_updating;
> }

I think this is the best way, but with small modification:
if (we are in update.php) && ($db_url_updating is defined)) {
  $db_url = $db_url_updating;

Site admin knows if the user which is normally used for connecting to
the db has necessarily rights or not. If he does not have them, he
should tell drupal which user/password use for update operations.

Simples, most portable, solving all problems IMO.

The only problem is that user/password for such "powerfull" user is
written in the file. Some people might want not to store it on disk, but
input only when updating. So a form in update.php would be needed.

But is it really needed? If someone could read the information and e.g.
drop all tables - he could also just DELETE from all tables. So it's not
really safer to not write them in the file.

irc: #debian.pl
Mors Drosophilis melanogastribus!

More information about the development mailing list