Fixing ISPConfig3 MySQL Backup

I have been playing with ISPConfig3 for the last few months. Apart from being highly surprised by such a complete free offering, the MySQL backup has never worked for me. Web backup would work but the sql.gz would show 0 or a very small number bytes resulting in no backup.

After playing with the script in /usr/local/ispconfig/server/cron_daily.php I found that the script sanitizes input from /usr/local/ispconfig/server/lib/mysql_clientdb.conf before passing the details over to mysqldump.

The script sanitizes input with the PHP function escapeshellcmd: http://php.net/manual/en/function.escapeshellcmd.php

From the manual, the function will escape all input with #&;`|*?~<>^()[]{}$\\x0A\xFF and unpaired ‘ and “. This means that if we have any of these characters in our username or password the script will sanitize the input before throwing it to commandline which essentially breaks our backup process.

This sanitization is fine if your expecting input from an end user, but this is our root password using a string stored in a text file. Apart from some type of remote rewrite of the file and waiting for cron_daily.php to be executed hoping for a break on the commandline, I’m pretty sure this file is ok to edit.

The line is at 892 of /usr/local/ispconfig/server/cron_daily.php and reads

$command = "mysqldump -h '".escapeshellcmd($clientdb_host)."' -u '".escapeshellcmd($clientdb_user)."' -p'".escapeshellcmd($clientdb_password)."' -c --add-drop-table --create-options --quick --result-file='".$db_backup_dir.'/'.$db_backup_file."' '".$db_name."'";

For me it was my password that was causing problems for the function in which the mysqldump would fail resulting in a gz file of nothing.

Once the file was edited to the below everything started working again as expected.

$command = "mysqldump -h '".escapeshellcmd($clientdb_host)."' -u '".escapeshellcmd($clientdb_user)."' -p'".$clientdb_password."' -c --add-drop-table --create-options --quick --result-file='".$db_backup_dir.'/'.$db_backup_file."' '".$db_name."'";

I hope this helps!

Leave a Reply

Your email address will not be published. Required fields are marked *