如何阻止 MySQL 错误输出到浏览器以包含数据库密码?
当服务器出现 MySQL 配置或其他错误时,它会将 MySQL 用户名和密码打印到浏览器。这是一个安全风险,因为如果 SQL 数据库不可用,它还会将密码打印到浏览器。
在这个例子中,我故意错误地设置了密码,输出如下:
致命错误:未捕获的异常 带有消息的“PDOException” 'SQLSTATE[28000] [1045] 访问被拒绝 对于用户“用户名”@“localhost”(使用 密码:YES)'中 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php:129 堆栈跟踪:#0 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php(129): PDO->__construct('mysql:host=loca...', 'drupal','密码',数组)#1 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Mysql.php(96): Zend_Db_Adapter_Pdo_Abstract->_connect() #2 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Abstract.php(459): Zend_Db_Adapter_Pdo_Mysql->_connect() #3 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php(238): Zend_Db_Adapter_Abstract->query('DESCRIBE
site_...',数组)#4 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Mysql.php(156): Zend_Db_Adapter_Pdo_Abstract->query('DESCRIBEsite_...') #5 /usr/local/zend/share/ZendFramework/library/Zend/Db/Table/Abstract.php(823): Zend_Db_Adapter_Pdo_Mysq 中 /usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php 在第 144 行
这是 index.php 文件中的当前配置代码
global $db;
if ($CFG->flagDBAdapters) {
foreach ($config->db as $config_name => $database) {
$dbAdapters[$config_name] = Zend_Db::factory($database->adapter,
$database->config->toArray());
if ((boolean) $database->default) {
Zend_Db_Table::setDefaultAdapter($dbAdapters[$config_name]);
$db = $dbAdapters[$config_name];
}
}
Zend_Registry::set('dbAdapters', $dbAdapters);
我尝试阅读有关 PDO 的更多信息并插入
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
这只会导致不同的错误
致命错误:调用未定义的方法 Zend_Db_Adapter_Pdo_Mysql::setAttribute() 在 /usr/local/zend/apache2/htdocs/source/index.php 在第 301 行
有人能帮我指出正确的方向,告诉我应该寻找什么吗?
When the server has a MySQL config or other error it prints the MySQL user name and password to the browser. This is a security risk in that if the SQL db is unavailable it will also print the password to the browser.
In this example I intentionally set the password incorrectly, here is the output:
Fatal error: Uncaught exception
'PDOException' with message
'SQLSTATE[28000] [1045] Access denied
for user 'username'@'localhost' (using
password: YES)' in
/usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php:129
Stack trace: #0
/usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php(129):
PDO->__construct('mysql:host=loca...',
'drupal', 'password', Array) #1
/usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Mysql.php(96):
Zend_Db_Adapter_Pdo_Abstract->_connect() #2
/usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Abstract.php(459):
Zend_Db_Adapter_Pdo_Mysql->_connect() #3
/usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php(238):
Zend_Db_Adapter_Abstract->query('DESCRIBEsite_...', Array) #4site_...') #5
/usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Mysql.php(156):
Zend_Db_Adapter_Pdo_Abstract->query('DESCRIBE
/usr/local/zend/share/ZendFramework/library/Zend/Db/Table/Abstract.php(823):
Zend_Db_Adapter_Pdo_Mysq in
/usr/local/zend/share/ZendFramework/library/Zend/Db/Adapter/Pdo/Abstract.php
on line 144
Here is the current config code in the index.php file
global $db;
if ($CFG->flagDBAdapters) {
foreach ($config->db as $config_name => $database) {
$dbAdapters[$config_name] = Zend_Db::factory($database->adapter,
$database->config->toArray());
if ((boolean) $database->default) {
Zend_Db_Table::setDefaultAdapter($dbAdapters[$config_name]);
$db = $dbAdapters[$config_name];
}
}
Zend_Registry::set('dbAdapters', $dbAdapters);
I tried reading more about PDO and inserting
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
That just resulted in a different error
Fatal error: Call to undefined method
Zend_Db_Adapter_Pdo_Mysql::setAttribute()
in
/usr/local/zend/apache2/htdocs/source/index.php
on line 301
Can anyone help point me in the right direction as to what I should be looking for?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
嗯,这更像是 Zend Framework 相关问题,而不是一般的 PHP 问题。
因此,采埃孚应该有自己的方法来禁用这种行为。
从 PHP 开始,生产服务器上的
display_errors设置应始终处于关闭状态Well it's more like Zend Framework related question rather than general PHP issue.
So, ZF should have it's own ways to disable such behavior.
As of PHP, the
display_errorssetting sould be always turned off on the production server您可以使用
set_error_handler来指定您自己的错误处理程序,它应该在生产中显示更加用户友好的内容,同时在开发/测试期间显示更详细的调试数据。You can use
set_error_handlerto specify your own error handler, which should display something much more user-friendly in production while displaying more detailed debugging data during development/testing.将@符号放在语句前面可以抑制输出错误。
putting the @ symbol in front of a statement suppresses errors from being outputed.