PEAK XOOPS - 'XOOPS_DB_PREFIX' clarification in englishin japanese

'XOOPS_DB_PREFIX' clarification

  • You cannot open a new topic into this forum
  • Guests cannot post into this forum
Previous post - Next post | Parent - Children.1 | Posted on 2005/1/4 19:17
brashquido  °ìÅùʼ   Posts: 18
Hi All,

Great module, don't know why I hadn't looked at this before. Just wanting to verify something from under the Security Advisory page. It says the 'XOOPS_DB_PREFIX' of 'xoops' is not secure, and I was just wondering what we should be looking at changing this to so as to secure this? Thanks for your help
Votes:17 Average:4.71
Previous post - Next post | Parent - Children.1 | Posted on 2005/1/4 20:05
jseymour  ¾åÅùʼ From: Gainesville Florida, USA  Posts: 40
After install it is hard to change as I understand. Ideally just anything nonstandard. Any cracker that knows Xoops knows that the prefix by default is xoops_ . Just gives something else for him to guess.
Votes:7 Average:0.00
Previous post - Next post | Parent - Children.1 | Posted on 2005/1/4 20:13
brashquido  °ìÅùʼ   Posts: 18
I was thinking as much. I suppose an alpha-numeric combination of half a dozen or so characters with upper and lowercase should be sufficient? I suppose my real question is how far you should go before you consider yourself secure? Is half a dozen characters enough, should it be more?
Votes:20 Average:0.00
Previous post - Next post | Parent - Children.1 | Posted on 2005/1/5 4:51
tedsmith  ¸àĹ   Posts: 64
Indeed. I would expect that 6 chars combined with upper\lower\grammer text would be quite sufficient - you'd have to have a good cracker to get round that.

My question is how do you change that prefix? Mine says xoops, and I remeber being asked during set-up, but can you change it afterwards and if so how?
Votes:26 Average:6.54
Previous post - Next post | Parent - Children.1 .2 | Posted on 2005/1/5 6:44
GIJOE  ÀèǤ·³Áâ   Posts: 4110
I'll implement the feature of changing XOOPS_DB_PREFIX into Protector.
But if you want immediately, try Marijuana's method.

* Marijuana: the Author of ORETEKI XOOPS instead of bad drugs


how to change XOOPS_DB_PREFIX:

Don't forget making backup the database and mainfile.php before these operations

- save this as pre_change.php.
- put it on the same place of mainfile.php
- chmod 777 mainfile.php
- access XOOPS_URL/pre_change.php
- change it
- delete pre_change.php from the server (important!)
- chmod 444 maifine.php

<?php
  include 'mainfile.php';
  if ( !is_writable(XOOPS_ROOT_PATH.'/mainfile.php') ) {
    exit('mainfile.php is not writable');
  }
  
  if ( empty($_POST['submit']) ) {
    include XOOPS_ROOT_PATH.'/class/xoopsformloader.php';
    $sform = new XoopsThemeForm("Changing XOOPS_DB_PREFIX", "prefixform", xoops_getenv('PHP_SELF'));
    $sform->addElement(new XoopsFormText("PREFIX", 'prefix', 50, 80, XOOPS_DB_PREFIX), true);
    $sform->addElement(new XoopsFormHidden("oldname", XOOPS_DB_PREFIX));
    $sform->addElement(new XoopsFormButton('', 'submit', 'change', 'submit'));
    $shtml = $sform->render();
  } else {
    $shtml = '<h4 style="text-align:left">Changing XOOPS_DB_PREFIX '.XOOPS_DB_NAME.'</h4>';
    $shtml.= '<table class="outer" width="100%" cellpadding="4" cellspacing="1">';
    $shtml.= '<tr align="center"><th>From</th><th>To</th></tr>';
    
    // changes
    $local_query = 'SHOW TABLE STATUS FROM '.XOOPS_DB_NAME;
    $result = $xoopsDB->queryF($local_query);
    $count = 0;
    if ( $xoopsDB->getRowsNum($result) ) {
      while( $row = $xoopsDB->fetchArray($result) ){
        if ($count % 2 == 0) { $class = 'even'; } else { $class = 'odd'; }
        $count++;
        $newtable = str_replace(XOOPS_DB_PREFIX.'_',$_POST['prefix'].'_',$row['Name']);
        $sql = "RENAME TABLE ".$row['Name']." TO ".$newtable;
        $ret = $xoopsDB->queryF($sql);
        if ( $ret ) {
          $shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>'.$newtable.'</td></tr>';
        } else {
          $shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>Failed. sorry...</td></tr>';
        }
      }
    }
    $shtml.= '</table>';
    $shtml.= '<div><a href="'.XOOPS_URL.'/">return to Top</a></div>';
    // modifying mainfile.php
    $main = file(XOOPS_ROOT_PATH.'/mainfile.php');
    foreach ( $main as $val ) {
      if ( strpos($val,'XOOPS_DB_PREFIX')!==false ) {
        $buf[] = str_replace($_POST['oldname'],$_POST['prefix'],$val);
      } else {
        $buf[] = $val;
      }
    }
    if (!$fp = fopen(XOOPS_ROOT_PATH.'/mainfile.php', "wb") ) {
      echo "writing mainfile.php failed. please edit manually";
    } else {
      fputs($fp, join("", $buf));
      fclose($fp);
    }
    
  }
  include XOOPS_ROOT_PATH.'/header.php';
  echo $shtml;
  include XOOPS_ROOT_PATH.'/footer.php';
?>
Votes:17 Average:5.88
Previous post - Next post | Parent - Children.1 | Posted on 2005/1/5 8:04
tedsmith  ¸àĹ   Posts: 64
Looks a little to complex for me, so I will wait until you implement it into your Protector module - there's no urgency for me because I doubt my site will be victim to a hacker anyway - its just a site about dogs!

Thanks for your help GIJOE.
Votes:1 Average:0.00
Previous post - Next post | Parent - Children.1 | Posted on 2005/1/5 11:54
brashquido  °ìÅùʼ   Posts: 18
Hi GIJOE,

The above script does not enclose the database name with `` when to showing the status. This will cause the script to fail in some instances (such as where the database name is numeric). I have altered the script so that it does this, plus also added code so that all the SQL commands are dumped to screen using the XoopsLogger.
<?php
  include 'mainfile.php';
  if ( !is_writable(XOOPS_ROOT_PATH.'/mainfile.php') ) {
    exit('mainfile.php is not writable');
  }
  
  if ( empty($_POST['submit']) ) {
    include XOOPS_ROOT_PATH.'/class/xoopsformloader.php';
    $sform = new XoopsThemeForm("Changing XOOPS_DB_PREFIX", "prefixform", xoops_getenv('PHP_SELF'));
    $sform->addElement(new XoopsFormText("PREFIX", 'prefix', 50, 80, XOOPS_DB_PREFIX), true);
    $sform->addElement(new XoopsFormHidden("oldname", XOOPS_DB_PREFIX));
    $sform->addElement(new XoopsFormButton('', 'submit', 'change', 'submit'));
    $shtml = $sform->render();
  } else {
    $shtml = '<h4 style="text-align:left">Changing XOOPS_DB_PREFIX '.XOOPS_DB_NAME.'</h4>';
    $shtml.= '<table class="outer" width="100%" cellpadding="4" cellspacing="1">';
    $shtml.= '<tr align="center"><th>From</th><th>To</th></tr>';
    
    // changes
    $local_query = 'SHOW TABLE STATUS FROM `'.XOOPS_DB_NAME.'`';
    $result = $xoopsDB->queryF($local_query);
    $count = 0;
    if ( $xoopsDB->getRowsNum($result) ) {
      while( $row = $xoopsDB->fetchArray($result) ){
        if ($count % 2 == 0) { $class = 'even'; } else { $class = 'odd'; }
        $count++;
        $newtable = str_replace(XOOPS_DB_PREFIX.'_',$_POST['prefix'].'_',$row['Name']);
        $sql = "RENAME TABLE ".$row['Name']." TO ".$newtable;
        $ret = $xoopsDB->queryF($sql);
        if ( $ret ) {
          $shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>'.$newtable.'</td></tr>';
        } else {
          $shtml.= '<tr class="'.$class.'"><td>'.$row['Name'].'</td><td>Failed. sorry...</td></tr>';
        }
      }
    }
    $shtml.= '</table>';
    $shtml.= '<div><a href="'.XOOPS_URL.'/">return to Top</a></div>';
    // modifying mainfile.php
    $main = file(XOOPS_ROOT_PATH.'/mainfile.php');
    foreach ( $main as $val ) {
      if ( strpos($val,'XOOPS_DB_PREFIX')!==false ) {
        $buf[] = str_replace($_POST['oldname'],$_POST['prefix'],$val);
      } else {
        $buf[] = $val;
      }
    }
    if (!$fp = fopen(XOOPS_ROOT_PATH.'/mainfile.php', "wb") ) {
      echo "writing mainfile.php failed. please edit manually";
    } else {
      fputs($fp, join("", $buf));
      fclose($fp);
    }
    
  }
  include XOOPS_ROOT_PATH.'/header.php';
  echo $shtml;
  include XOOPS_ROOT_PATH.'/footer.php';
  echo $GLOBALS['xoopsLogger']->dumpAll();
?>
Votes:17 Average:5.29
Previous post - Next post | Parent - Children.1 | Posted on 2005/1/5 12:10
GIJOE  ÀèǤ·³Áâ   Posts: 4110
hi brash.

Thank you for modifying it.

Since the script is not made by me, I don't check it well.
All I did is traslating from Japanese to English.

Anyway, changing XOOPS_DB_PREFIX is quite useful for you.
Almost SQL Injections can be prevented by changing the prefix to randomized word.
Votes:14 Average:5.00
Previous post - Next post | Parent - No child | Posted on 2005/1/6 8:16
brashquido  °ìÅùʼ   Posts: 18
No worries GIJOE . I used the script last night, and everything went well. I now have ok against all five points under the security advisor page in Protector .
Votes:8 Average:8.75
Previous post - Next post | Parent - Children.1 | Posted on 2005/1/20 6:00
GIJOE  ÀèǤ·³Áâ   Posts: 4110
Now, Protector 2.3 has "DB_PREFIX" manager.
You can copy or delete tables with multi-prefix.
Try it.
Votes:15 Average:4.00
Previous post - Next post | Parent - Children.1 | Posted on 2006/3/13 5:52
atomizer  ÆóÅùʼ   Posts: 1
i'm very new to PHP and SQL and am having a bit of trouble understanding how to use 'protector' to change the database prefix. what i did was 'copy' the current XOOP database with another name (4 characters). i did not edit 'mainfile.php' yet. that seemed to go well, but when i use phpMyAdmin to verify that the new database was created, it isn't there -- only the old database is there.

what is my little brain missing?
Votes:7 Average:0.00

question Re: 'XOOPS_DB_PREFIX' clarification

msg# 1.1.1.1.1.1.1.1.1
Previous post - Next post | Parent - No child | Posted on 2006/3/14 5:18
GIJOE  ÀèǤ·³Áâ   Posts: 4110
Databases
  |
  foo ------ (tables in foo)
  |
  bar ------ (tables in bar)
  |
  yourdb --- Tables
               |
               xoops_users
               xoops_configs
               xoops_...
               (newprefix)_users
               (newprefix)_configs
               (newprefix)_...
The red part was created by copy in prefix manager.

Do you understand?
Votes:15 Average:4.67

  Advanced search


Login
Username or e-mail:

Password:

Remember Me

Lost Password?

Register now!