2

I use Zend_Db_Table to manage my MySQL connections. They works great, but there's just one HUGE security problem.

If there's an error, like MySQL is down, ZF throws an exception with the db connection username and password.

Here for example, I've set a wrong db password in my configuration. This is the exception thrown.

exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'root'@'localhost' (using password: YES)' in /Users/claudiocanino/Dev/htdocs/include/Zend/Db/Adapter/Pdo/Abstract.php:129
Stack trace:
#0 /Users/claudiocanino/Dev/htdocs/include/Zend/Db/Adapter/Pdo/Abstract.php(129): PDO->__construct('mysql:dbname=ci...', 'root', 'rootads', Array)
#1 /Users/claudiocanino/Dev/htdocs/include/Zend/Db/Adapter/Pdo/Mysql.php(96): Zend_Db_Adapter_Pdo_Abstract->_connect()
#2 /Users/claudiocanino/Dev/htdocs/include/Zend/Db/Adapter/Abstract.php(459): Zend_Db_Adapter_Pdo_Mysql->_connect()
...

And here it is the username and password in clear. How can I modify the Zend_Db_Table class so it don't show sensible informations into its exceptions?

Thanks

Improve this question
4
  • 2
    If you change to production environment, there is no stack trace shown. In fact, there is no exception shown at all, just what you define in your ErrorController/view. Commented Dec 23, 2011 at 18:09
  • stackoverflow.com/questions/5393040/… Commented Dec 23, 2011 at 18:09
  • 1
    Also check out the resources.frontController.params.displayExceptions setting in your php.ini. If it is 1 (or non-zero) then the exception is shown regardless of the environment. Commented Dec 23, 2011 at 18:14
  • In my php.ini I've setted error_reporting = 0 and display_errors = Off. In the code there's also error_reporting(0); But it continues to show the same damn error. Do you have any idea? Thanks guys Commented Jan 5, 2012 at 1:15

1 Answer 1

Reset to default
3

Instead of changing display error options or production environment setting, you could define your ErrorController.

Having an ErrorController is almost mandatory for a project in a production system. It catches any exceptions thrown by your application due to a application logic flaw or it catches any URL that does not have any associated controllers/actions or does not match any pattern defined in your routers.

More details on setting up ErrorController for your Zend project - http://www.thedeveloperday.com/custom-profiler-for-live-environments/

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.