How do I stop MySQL errors output to the browser from containing the DB password?

0
votes

When the server has a MySQL config or other error it prints the MySQL user name and password to the browser. This is a security risk in that if the SQL db is unavailable it will also print the password to the browser.

In this example I intentionally set the password incorrectly, here is the output:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'username'@'localhost' (using password: YES)' in /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php:129 Stack trace: #0 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php(129): PDO->__construct('mysql:host=loca...', 'drupal', 'password', Array) #1 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Mysql.php(96): Zend_Db_Adapter_Pdo_Abstract->_connect() #2 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Abstract.php(459): Zend_Db_Adapter_Pdo_Mysql->_connect() #3 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('DESCRIBE site_...', Array) #4 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Mysql.php(156): Zend_Db_Adapter_Pdo_Abstract->query('DESCRIBEsite_...') #5 /usr/local/zend/share/ZendFramework/library/Zend/Db/Table/Abstract.php(823): Zend_Db_Adapter_Pdo_Mysq in /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php on line 144

Here is the current config code in the index.php file

global $db;
if ($CFG->flagDBAdapters) {
    foreach ($config->db as $config_name => $database) {
        $dbAdapters[$config_name] = Zend_Db::factory($database->adapter,
        $database->config->toArray());
        if ((boolean) $database->default) {
            Zend_Db_Table::setDefaultAdapter($dbAdapters[$config_name]);
            $db = $dbAdapters[$config_name];
        }
    }
    Zend_Registry::set('dbAdapters', $dbAdapters);

I tried reading more about PDO and inserting 

$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);

That just resulted in a different error

Fatal error: Call to undefined method Zend_Db_Adapter_Pdo_Mysql::setAttribute() in /usr/local/zend/apache2/htdocs/source/index.php on line 301

Can anyone help point me in the right direction as to what I should be looking for?

3
phpmysqlzend-frameworkpdozend-db
did you Try to surround the bloc that cause the error by a Try Catch statement.?timmz

3 Answers

2
votes

Well it's more like Zend Framework related question rather than general PHP issue.
So, ZF should have it's own ways to disable such behavior.

As of PHP, the display_errors setting sould be always turned off on the production server

0
votes

You can use set_error_handler to specify your own error handler, which should display something much more user-friendly in production while displaying more detailed debugging data during development/testing.

0
votes

putting the @ symbol in front of a statement suppresses errors from being outputed.