Remove install.php after successful installation

[inda5th]

The installer should automatically remove install.php after a successful installation. If not removed, it should at least be moved to somewhere out of the web root.

The issue is that if a user forgets to remove install.php after installation has been completed, somebody with knowledge of the framework can just run the installation script again and overwrite the website.

If the developers don't find it feasible to have the installation script move or remove itself, a note should be added to the documentation to have the user do it manually.

Another possible solution would have the installer write to some form of installation_successful.txt file upon successful installation. If the installer tries to run again and that file exists, it should halt execution of the installation and remind the user to remove install.php.

[gergo85]

It's a great idea!

[daftspunk]

The installer should be removed and it is recommended in the final steps. Using Apache the .htaccess file prevents the install.php file being opened after installation. Even if this were possible, it would not be possible to pass the second screen because the installer only accepts an empty database. Even with an empty database, the installation procedure is no more harmful than running a standard update via the gateway.

We operate on a principal to not be too "magical" for the developer. He/She must assume some responsibility in this role. Deleting files from the file system is too magical I'm afraid.