|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2010-03-29 18:36 UTC] johannes@php.net
-Status: Open
+Status: Bogus
[2010-03-29 18:36 UTC] johannes@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Mon Nov 03 11:00:02 2025 UTC |
Description: ------------ Despite using the code as provided in the 'test script field', if the creation of the PDO object fails it shows both the username and password. Fatal error: Uncaught exception 'PDOException' with message 'could not find driver' in C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php:12 Stack trace: #0 C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php(12): PDO->__construct('pgsql:dbname=an...', 'someUsername', 'somePassword') #1 {main} thrown in C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php on line 12 So the first 2 letters of the database are visible along with the complete username and password. They hardly add anything of value to the error itself but pose quite the security risk if you have error reporting enabled on a production server. Test script: --------------- $settings = array( 'database' => 'anAaa', 'host' => 'localhost', 'username' => 'someUsername', 'password' => 'somePassword' ); $db = new PDO( sprintf( 'pgsql:dbname=%s;host=%s', $settings['database'], $settings['host'] ), $settings['username'], $settings['password'] );[/code]