[development] install should optionally create the database

Moshe Weitzman weitzman at tejasa.com
Thu Oct 12 02:43:13 UTC 2006


Greg Knaddison - GVS wrote:
> On 10/11/06, Drupal Indonesia <support at drupal-id.com> wrote:
>> Here:
>> 1. On the installation screen say: "You must enter a db username with 
>> creating
>> DB rights, otherwise please create the DB first"
> 
> If they enter the db username that has "create database" permissions
> into the screen they are most likely doing it http.  So, it's passed
> along in plain text.  Yikes.
> 
> Greg
> 

Um, uid=1 and everyone else already logs in with plain text. and you have to 
use uid=1 to update your site, so just never using that account is not an 
option (unless you hack update.php, which puts in an 'expert' class as we 
aren't really talking about that class of admins now).

there is actually nothing one can do with the DB password alone. you still 
have to break the server some other way in order to interact with the DB. we 
shouldn't just show DB password for fun, but one web form during install is 
acceptable IMO, and in the opinions of other web app makers.

i agree that having drupal create the DB for those that want it is a great 
next step. if you don't like that feature, don't use it. experienced drupal 
admins are quite likely to skip the whole installer, IMO.

this is all 6.0 stuff, so lets not spend too much time on it now. we have to 
get 5.0 bugs shaken out first.

-moshe


More information about the development mailing list