FWIW - hiding database passwords (when using PDO) would be possible when
https://github.com/php/php-src/pull/2684 gets included
Cheers,
Sjon
On Thu, Jun 13, 2019 at 9:56 AM Andreas Heigl <andr...@heigl.org> wrote:
> Hey All
>
> Am 13.06.19 um 09:41 schrieb Nikita Popov:
> > On Thu, Jun 13, 2019 at 9:35 AM Lester Caine <les...@lsces.uk> wrote:
> >
> >> Seen in the wild ... company name sanitised
> >>
> >> Warning: mysqli::mysqli(): (HY000/2002): No such file or directory in
> >> /home/888/public_html/system/library/db/mysqli.php on line 7
> >>
> >> Fatal error: Uncaught exception 'Exception' with message 'Error: <br
> >> />Error No: ' in /home/888/public_html/system/library/db/mysqli.php:10
> >> Stack trace: #0
> >> /home/888/public_html/system/nitro/core/nitro_db.php(29):
> >> DB\MySQLi->__construct('localhost', '888_4y65f5...',
> >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #1
> >> /home/888/public_html/system/nitro/core/nitro_db.php(13):
> >> NitroDb->__construct('mysqli', 'localhost', '888_4y65f5...',
> >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #2
> >>
> /home/888/public_html/system/storage/modification/system/library/db.php(11):
> >>
> >> NitroDb::getInstanceWithParams('mysqli', 'localhost', '888_4y65f5...',
> >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #3
> >> /home/888/public_html/system/framework.php(36):
> >> DB->__construct('mysqli', 'localhost', '888_4y65f5...',
> >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #4
> >> /home/888/public_html/vqmod/vqcache/vq2-system_startup.php(124):
> >> require_once('/home/888 in
> >> /home/888/public_html/system/library/db/mysqli.php on line 10
> >> 你的代码出错了:
> >>
> >> I presume something has been updated that they have not been aware of
> >> since it's library file that triggered the warning ... but it's not the
> >> first time in recent years I've seen this sort of information on
> >> commercial sites and while my own clients just get white screens, those
> >> are created by the likes of Wordpress when 'automatic updates' happen.
> >>
> >> Many years ago the response was "well don't update", but 'current
> >> practice' takes that out of OUR hands! So isn't it time that the
> >> triggering exceptions like this did produce a more user secure response
> >> to protect against leaks like this and provide a better alternative than
> >> a white screen?
> >>
> >> In the case of this live site, I actually placed an order as it was only
> >> some links that triggered the fault, which may explain why they were not
> >> even aware there was a problem :( From the 'development' side, NitroDb->
> >> should obviously be handling the problem anyway.
> >>
> >
> > display_errors=Off in production.
> >
>
> While that makes absolute sense perhaps thinking whether there is a way
> to mark password-parameters in core-functions and hide them in
> Stack-traces might improve security as that would also hide
> user-provided credentials in log-files.
> That would not target userland methods/functions. Though having a
> Core-Value-object for credentials might even allow *that*
>
> Just my 0.02 €
>
> Cheers
>
> Andreas
> --
> ,,,
> (o o)
> +---------------------------------------------------------ooO-(_)-Ooo-+
> | Andreas Heigl |
> | mailto:andr...@heigl.org N 50°22'59.5" E 08°23'58" |
> | http://andreas.heigl.org http://hei.gl/wiFKy7 |
> +---------------------------------------------------------------------+
> | http://hei.gl/root-ca |
> +---------------------------------------------------------------------+
>
>
