Akash Posted May 20, 2008 Share Posted May 20, 2008 I was playing around a bit, and reading about securing overall. I noticed alot of places said don't let the errors, which occur in queries, be visible to users. This is mainly because they are then able to gain info on your database, making it easier for them to inject, hack or whatever else. Basically when you execute a query such as this: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. It will obviously not work because there's no such field as id in our table, but it's userid (unless you've edited it). And if the users (hackers) see this, they gain data from this error: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. This makes it obvious that you're calling the users table and also that the id field is something like ID or userID or userid (not very difficult to guess) Therefore, I have created a script, about 5-10 lines of length. There's no files involved, but I'd say create a file called stats.php and put this in there, just to test. You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. This query will not work, but instead of the error showing up, it will be sent in an event to the admin. To make this work in every query would mean you having to add this to every single query, a great hassel. But there's no need to add it for every query, just the main ones that could cause people to hack. To add it for a query find the query and add '$result =' before it. Then below it add: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. This will prevent the error from being shown and instead will send an event to userid 1 :) Quote Link to comment Share on other sites More sharing options...
Guest Anonymous Posted May 20, 2008 Share Posted May 20, 2008 Re: Query Error Report Not sure you've grasped the concepts behind error handling here... Error handling can be done locally on a per function call basis as you have attempted to demonstrate, however perhaps you would be better employed at looking at PHP's error handling systems... My own error handlers are initialized very early on in a page request (normally around the 10th or so line after some critical operations have run). From there on, I simply throw exceptions or trigger errors as required. This means no thinking about the code, no worrying that some idiot might rap the a mysql function up to hide errors which generates and event on error (which may in turn call the original function). Use the facilities available to you rather than trying to craft your own procedural mechanisms. Research topics: trigger_error(), error_reporting() and (IIRC) set_error_handler(). Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.