Of course, this bit me in the arse.
The ‘correct’ way to check that people aren’t trying to send nasty things to your MySQL server is to use the command ‘
mysql_real_escape_string()‘ – This connects to the database, and asks it ‘Do any of these characters mean anything to you, and if they do, please get rid of them’. This worked flawlessly on my machine, and I happily checked it in and published it. About 4 hours after I published it, and everyone was happily upgrading, someone dropped into IRC and said they were getting an error in CDR, about being unable to connect to MySQL without using a password.
Uh-oh. That command needs to authenticate itself. It’ll work fine if there’s no root/dba password, but as soon as there is, it breaks. Sigh. So that’s fixed. I also realised a couple of days later that lots of people were trying to install the update that I put in the online modules. Even though I put a big ‘CLICK HERE’ and pointed them to the freePBX upgrading instructions they were still trying to install it. So I added a little routine that checks if there are any announcements and displays them automatically as soon as you go into online modules. That should fix that problem, and stop it from happening in the future.
Unfortunately, it does still leave people with a broken module of ‘unknown’. I’ve fixed that in 2.2 (the ability to remove a broken module) I think, but I’m not really sure I’m comfortable about putting it into 2.1, which is meant to be stable and, uh. Not broken. D’oh.