|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2010-03-29 18:36 UTC] johannes@php.net
-Status: Open
+Status: Bogus
[2010-03-29 18:36 UTC] johannes@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2024 The PHP GroupAll rights reserved. |
Last updated: Fri May 17 11:01:34 2024 UTC |
Description: ------------ Despite using the code as provided in the 'test script field', if the creation of the PDO object fails it shows both the username and password. Fatal error: Uncaught exception 'PDOException' with message 'could not find driver' in C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php:12 Stack trace: #0 C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php(12): PDO->__construct('pgsql:dbname=an...', 'someUsername', 'somePassword') #1 {main} thrown in C:\Program Files\BitNami WAPPStack\apache2\htdocs\cb.php on line 12 So the first 2 letters of the database are visible along with the complete username and password. They hardly add anything of value to the error itself but pose quite the security risk if you have error reporting enabled on a production server. Test script: --------------- $settings = array( 'database' => 'anAaa', 'host' => 'localhost', 'username' => 'someUsername', 'password' => 'somePassword' ); $db = new PDO( sprintf( 'pgsql:dbname=%s;host=%s', $settings['database'], $settings['host'] ), $settings['username'], $settings['password'] );[/code]