今天看到,前几天刚出 5.4 ,修复了一个 SQL injection 漏洞
// $Id: UPGRADE.txt,v 1.8 2007/01/09 09:16:10 dries Exp $
1. Backup your database and Drupal directory – especially your
“sites” directory which contains your configuration file and
added modules and themes, any contributed modules in your
“modules” directory, and your “files” directory which contains
Note: for a single site setup the configuration file is the
“settings.php” file located at sites/default/settings.php.
For multisite configuration the configuration file is located
in a structure like the following:
More information on multisite configuration is located in
the INSTALL.txt file.
2. Log on as the user with user ID 1. User ID 1 is the first
account created and the main administrator account. User
ID 1 needs to be logged in so that you can access update.php
(step 9) which can only be run by user ID 1. Do not close
your browser until step 10 is complete.
3. Place the site in “Off-line” mode, to mask any errors from
4. Disable contributed modules and switch to a core theme
(Bluemarine or Garland).
5. Remove all of the old files and directories from the Drupal
6. Unpack the new Drupal files and directories into the Drupal
7. Copy the backed up “files” and “sites” directories to the
Drupal installation directory. If the original .htaccess or
robots.txt files have been modified, copy the backed up
versions of these files to the installation directory as
8. Verify the new configuration file to make sure it has the
latest and correct information.
9. Re-install contributed modules.
Note: make sure the version of a module matches your
version of Drupal. Modules from previous versions may
not be compatible with the current version. Check
http://drupal.org/project/Modules for the version of a
module to match your version of Drupal.
10. Run update.php by visiting http://www.example.com/update.php
(replace www.example.com with your drupal installation’s
domain name and path). This step will update the database to
the new Drupal installation.
Note: if you are unable to access update.php do the following:
– Open update.php with a text editor.
– There is a line near top of update.php that says
$access_check = TRUE;. Change it to $access_check = FALSE;.
– As soon as the script is done, you must change the update.php
script back to its original form to $access_check = TRUE;.
11. Finally, return site to “Online” mode so your visitors may resume
For more information on upgrading visit the Drupal handbook at