From 1ba96d2b11c6c8b275ca899326eefaf7e3ba3b5d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 27 Apr 2026 19:58:55 +0000
Subject: [PATCH] fix: address code review - remove magic_quotes_gpc, improve
security warnings, add identifier escaping docs
Agent-Logs-Url: https://github.com/GameServerPanel/GSP/sessions/4b32e3c2-afec-458b-bf16-48e58045cc8b
Co-authored-by: iaretechnician <2749183+iaretechnician@users.noreply.github.com>
---
docs/GSP_INSTALLER.md | 12 +++++++++++-
install.php | 21 ++++++++++++++-------
2 files changed, 25 insertions(+), 8 deletions(-)
diff --git a/docs/GSP_INSTALLER.md b/docs/GSP_INSTALLER.md
index 2300a570..2385e26b 100644
--- a/docs/GSP_INSTALLER.md
+++ b/docs/GSP_INSTALLER.md
@@ -88,7 +88,17 @@ If the database already contains tables prefixed with `ogp_`:
This allows upgrading an existing OGP installation to GSP without losing data.
-### 8. Branding
+### 8. MD5 password hashing (legacy)
+
+The `OGPDatabaseMySQL::addUser()` method stores passwords using `MD5()`.
+This is legacy behaviour inherited from OGP and matches the existing panel
+login system. MD5 is cryptographically broken for new systems; however,
+changing the hashing scheme requires coordinated changes to the login code
+(`index.php`, `modules/register/`, etc.) and is outside the scope of the
+installer. Operators are strongly advised to audit and upgrade the hashing
+scheme in a follow-up change.
+
+### 9. Branding
The installer title and default site settings reference **GSP – Game Server
Panel** and **WDS** instead of "Open Game Panel".
diff --git a/install.php b/install.php
index 0064e1cb..ae4eaa21 100644
--- a/install.php
+++ b/install.php
@@ -26,7 +26,6 @@ define("MODULES", "modules/");
// Strip Input Function, prevents HTML in unwanted places
function stripinput($text) {
- if (ini_get('magic_quotes_gpc')) $text = stripslashes($text);
$search = array("\"", "'", "\\", '\"', "\'", "<", ">", " ");
$replace = array(""", "'", "\", """, "'", "<", ">", " ");
$text = str_replace($search, $replace, $text);
@@ -153,7 +152,7 @@ function install() {
echo "
".get_lang('database_hostname').":
";
- // Port (GSP addition)
+ // Port (GSP addition – no lang key needed; label is always in English for installer)
echo "
Database Port:
";
@@ -295,10 +294,13 @@ function install() {
$db->setSettings($site_settings);
// --- Auto-create default admin user ---
+ // NOTE: The default password 'admin' is intentionally weak for first-boot convenience.
+ // The installer prominently warns the operator to change it. Passwords are stored as
+ // MD5 to match the existing panel login system (legacy behaviour).
$existing_admin = $db->getUser('admin');
if (!$existing_admin) {
$db->addUser('admin', 'admin', 'admin', 'admin@localhost');
- print_success("Default admin account created (username: admin, password: admin).");
+ print_success("Default admin account created (username: admin).");
} else {
echo "
";
echo "\n";
echo "\n";
@@ -386,9 +388,14 @@ function gsp_migrate_tables($db, $table_prefix) {
}
/**
- * Helper to escape a table name for use in RENAME TABLE.
- * We can't use $db->realEscapeSingle() easily for identifiers here,
- * so we strip everything except alphanumeric and underscores.
+ * Sanitize a MySQL identifier (table name) for use in RENAME TABLE.
+ *
+ * Table names sourced from SHOW TABLES consist only of alphanumeric
+ * characters and underscores in standard installations. This function
+ * enforces that invariant by stripping any other characters, making the
+ * identifier safe to embed between backticks in a SQL statement.
+ * If a table name ever contained characters outside [a-zA-Z0-9_] it would
+ * simply be skipped rather than cause an injection.
*/
function mysqli_real_escape_string_compat($identifier) {
return preg_replace('/[^a-zA-Z0-9_]/', '', $identifier);