Contrib.social

Installer detects all database settings in settings.php except for password

Open on Drupal.org β†’
Created on 8 August 2025, 7 days ago

Problem/Motivation

When installing Drupal using the UI installer, the installer will detect any existing database configuration in the $databases variable. Those variables will be loaded in the second step of the form titled "Database Configuration", except for the password.

When users proceed to the next step (either providing the existing password, no password, or just a random string), a new $databases variable will be added to the settings.php file even if a valid one already exists.

This causes some issues when providing someone with a working Drupal codebase, but no database, as they have to go through the UI installer and risk changing the settings.php file when that shouldn't be necessary.

Steps to reproduce

1. On a new Drupal installation, copy and paste this code into settings.php before entering the the UI installer.

$databases['default']['default'] = array (
  'database' => 'drupal',
  'username' => 'drupal',
  'password' => 'drupal',
  'prefix' => 'dp_',
  'host' => 'localhost',
  'port' => '3306',
  'isolation_level' => 'READ COMMITTED',
  'driver' => 'mysql',
  'namespace' => 'Drupal\\mysql\\Driver\\Database\\mysql',
  'autoload' => 'core/modules/mysql/src/Driver/Database/mysql/',
);

This is, in most cases, a valid configuration (with the possible exception of your db host or port).

2. Enter the UI installer.

3. Select any profile.

4. On the "Database Configuration" step, notice how the Password field is not filled, despite there being a valid password in the settings.

5. Either enter your db password or do nothing, the result is the same.

6. Click "Save and Continue"

7. Read settings.php. There should now be two $databases variables in there.

Proposed resolution

Ideally, the settings form should:

1. Detect the database password and display it (in the case of an incomplete config that happens to have the password, but is missing something else).

2. If a fully functioning database connection is provided via settings.php, the installer should not duplicate the $databases variable.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Active

Version

11.2 πŸ”₯

Component

install system

Created by

πŸ‡ΊπŸ‡ΈUnited States abenbow Asheville, North Carolina

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @abenbow
  • Comment 7 days ago β†’
    πŸ‡ΊπŸ‡ΈUnited States abenbow Asheville, North Carolina
  • Comment 2 days ago β†’
    πŸ‡³πŸ‡ΏNew Zealand quietone

    If this problem was discovered on a version of Drupal that is not 11.x, add that information in the issue summary and leave the version at 11.x. In Drupal core changes are made on on 11.x (our main development branch) first, and are then back ported as needed according to the Core change policies β†’ . Also mentioned on the version β†’ section of the list of issue fields documentation. Thanks.

  • Comment 1 day ago β†’
    πŸ‡ΊπŸ‡ΈUnited States nicxvan

    I think that would be a security concern, it would expose the production db password for any site where someone visits before it is installed if settings are pre-configured.

    It can also load the installer if something goes really wrong in production which would also expose the password.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024