php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #56552 Password are shown in clear text on uncaught exceptions
Submitted: 2005-09-16 12:48 UTC Modified: 2005-09-16 13:52 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: jome at emoj dot net Assigned:
Status: Wont fix Package: PDO (PECL)
PHP Version: Irrelevant OS: Linux
Private report: No CVE-ID: None
View Add Comment Developer Edit
Have you experienced this issue?
Rate the importance of this bug to you:

 [2005-09-16 12:48 UTC] jome at emoj dot net 
Description:
------------
Using PDO 1.0RC1.

It would be nice if PDO didn't output the password parameter in clear text but somehow hid it when there's an uncaught exception.

Reproduce code:
---------------
new PDO("mysql:dbname=foo", "foo", "bar");

Expected result:
----------------
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'foo'@'localhost' (using password: YES)' in Command line code:1
Stack trace:
#0 Command line code(1): PDO->__construct('mysql:dbname=fo...', 'foo', 'HIDDEN')
#1 {main}
  thrown in Command line code on line 1


Actual result:
--------------
Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[28000] [1045] Access denied for user 'foo'@'localhost' (using password: YES)' in Command line code:1
Stack trace:
#0 Command line code(1): PDO->__construct('mysql:dbname=fo...', 'foo', 'bar')
#1 {main}
  thrown in Command line code on line 1

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-09-16 13:52 UTC] wez@php.net 
It's actually the zend engine that shows that.
Since the backtrace is debugging output, you shouldn't be displaying it in production.
There isn't a way for PDO to hide the password in the output, sorry (yes, it would be nice).
I'd recommend using set_exception_handler() to hide that output (and log it) and display a friendly error message to the user instead.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Wed May 08 21:01:33 2024 UTC