php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #51428 new PDO is spitting out the password/username for all to see on error.
Submitted: 2010-03-29 17:58 UTC Modified: 2010-03-29 18:36 UTC
From: pBakhuis at Gmail dot com Assigned:
Status: Not a bug Package: PostgreSQL related
PHP Version: 5.2.13 OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: pBakhuis at Gmail dot com
New email:
PHP Version: OS:

 

 [2010-03-29 17:58 UTC] pBakhuis at Gmail dot com
Description:
------------
Despite using the code as provided in the 'test script field', if the creation of the PDO object fails it shows both the username and password.


Fatal error: Uncaught exception 'PDOException' with message 'could not find driver' in C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php:12 Stack trace: #0 C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php(12): PDO->__construct('pgsql:dbname=an...', 'someUsername', 'somePassword') #1 {main} thrown in C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php  on line 12

So the first 2 letters of the database are visible along with the complete username and password. They hardly add anything of value to the error itself but pose quite the security risk if you have error reporting enabled on a production server.


Test script:
---------------
$settings = array(
  'database' => 'anAaa',
  'host'     => 'localhost',
  'username' => 'someUsername',
  'password' => 'somePassword'
);

$db = new PDO(
	  sprintf(
	    'pgsql:dbname=%s;host=%s',
	    $settings['database'],
	    $settings['host']
	  ),
	  $settings['username'],
	  $settings['password']
	);[/code]


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-29 18:36 UTC] johannes@php.net
-Status: Open +Status: Bogus
 [2010-03-29 18:36 UTC] johannes@php.net
Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

Catch your errors properly never show PHP errors to users.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 14 08:01:27 2024 UTC