未捕获的PDOException泄露用户名和密码 [英] Uncaught PDOException reveals username and password

问题描述

try {
    self::$dbinstance = new PDO(
        "mysql:host=$c[host];dbname=$c[dbname]", $c['user'], $c['password']
    );

    self::$dbinstance->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} 
catch(PDOException $e) {
    echo "Errors" . $e->getMessage();
}

在上面的代码中，如果PDO无法连接到主机，则fatal error会显示用户名和密码.

In the above code, if PDO fails to connect to the host, a fatal error reveals the username and password.

Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2003]
Can't connect to MySQL server on '172.25.102.65' (10060)' in
D:\xampp\htdocs\mytest\wh_client_2.1\classes\importmodule-class.php:33 Stack trace: #0
D:\xampp\htdocs\mytest\wh_client_2.1\classes\importmodule-class.php(33): PDO-
>__construct('mysql:host=172....', 'host', 'password') #1

一种可能的方法是在php.ini中关闭display_error=0，但是这样一来，当主机没有响应时，我将无法得知.

One possible way is to turn the display_error=0 off in php.ini, but this way I won't able to know that when my host is not responding.

有没有办法修改错误消息?

Is there a way I can modify the error message?

推荐答案

错误处理和错误报告之间是有区别的.

There is a difference between error handling and error reporting.

• 错误处理是阻止最终用户查看任何堆栈跟踪，重要信息或自动生成的错误消息的过程.它还可以使用try catch块来修改脚本的运行方式.
• 错误报告定义了给定脚本将报告的信息.

• Error handling is the process of preventing your end users to see any stack trace, vital information or automatically generated error messages. It can also modify the way your script runs by using a try catch block.
• Error reporting defines which information will be reported by a given script.

为正确处理错误，我认为ini_set('display_errors',0);是更好的方法.您不希望在屏幕上显示任何错误消息.

To handle errors properly, I think that ini_set('display_errors',0); is the better approach. You do not want any error message displaying on the screen.

但是，我想获得有关错误的所有可能的信息，所以我使用error_reporting(E_ALL);.

However, I want to have all possible information on errors, so I use error_reporting(E_ALL);.

错误被写入文件error_log中，该文件通常与index.php(或任何直接调用的PHP文件)位于同一级别.您也可以从cPanel中访问它.

Errors are written in a file, error_log, which usually resides at the same level as your index.php (or any PHP file called directly). You can also access it from your cPanel.

您的错误可能没有被发现，因为您的代码位于名称空间中，而您想捕获全局名称空间PDOException.使用\表示正在寻找全局PDOException的脚本.一旦发现错误，就可以使用 PDOException类.

Your error is probably uncaught because your code is in a namespace, whereas you want to catch the global namespace PDOException. Use a \ to indicate your script you're looking for the global PDOException. Once you catch your error, you can echo the content you want, using the normal methods of the PDOException class.

try {
    $db = new PDO (/*connection infos*/);
}
catch (\PDOException $e) {
    switch ($e->errorCode()) {
        case 'HY000':
        // Or whatever error you are looking for
        // here it's the general error code
            mail('your@email.com','connection problem',$e->getTraceAsString());
            $db = new PDO (/*rollback connection infos of a local database*/);
            break;
    }
}

这会向您发送一封包含错误痕迹的邮件，以防止您的用户在告诉您某些错误时看到它.

That would send you a mail, containing the trace of the error, preventing your user from seeing it while telling you something is wrong.

这里是该参考表示PDO语句返回的错误代码.

Here is the reference for the error codes returned by PDO statements.

这篇关于未捕获的PDOException泄露用户名和密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！