Hello all,
As a beginner I've been exeperiencing lots of errors while building my
website, (I'm currently attempting to implement a member
login/registration piece for my site using mySQL and PHP)
I've read that PHP is secure in that it hides lots of code from
hackers and people trying to snoop around on the web site running the
PHP scripts - however, one thing I've noticed is that whenever I get a
script error, (for example, failure to connect, it lists the file
contining the php code - see below:
Warning: mysql_connect() : Access denied for user: 'xxxxx@localhos t'
(Using password: YES) in
/content/host/x/x/www.xxxxxxx.com/web/classes/access_check/access_check.ph p
on line 98
Is this to be expected? Is this a security risk? Is it possible,
(and/or a good idea), to disable these warnings once I'm happy that
the code is stable?
Thanks for any advice.
Rod.
Jul 17 '05
16 2208 le*********@nat pro.com wrote: I couldn't find it on 'thephpwtf.com' , and for us beginner's (if,
it's not too time consuming), can you show us how you would replace this snippet ?
He must be in the process of getting it ready to post. I noticed that
he just added 2 more entries, and has emailed me 2 times about the one
I sent in...
Unfortunately, I'm a bit pressed for time today (deadlines!), but if it
doesn't get to the phpwtf site by my lunch time tomorrow, I'll try and
show an example.
As I always tell my students:
Security through obscurity is not security at all.
While I'm teaching classes, I continuously bring up questions like,
"Should we trust the value of this variable?" This is usually followed
by blank stares, so the next question is, "What if the value was...."
The SQL Injection thing really got them to thinking. I'm hoping that if
any of them go on to do web development that they will keep things like
this at the forefront of their planning stages.
<ro***********@ yahoo.co.uk> wrote in message
news:11******** *************@z 14g2000cwz.goog legroups.com... Wow! Thanks for all the replies - very helpful!
This seems to be a cool place to hang out while I get my head around PHP :o)
Once my code is stable and errors are hidden from the user, emailing the errors to myself sounds like a good idea.
Until you're bombarded by e-mails triggered by various PHP exploit scanners
out there.
.oO(Mark) proper, secure, and robust coding ALWAYS involves checking return values and errors:
$file = fopen(...); if ($file === NULL) { header("Locatio n: showerror.php?e rrno=" . ERR_FOPEN_FAILE D); exit; }
Proper, secure and robust coding also uses an absolute URL in a Location
header, as required by the HTTP RFC.
Micha
Michael Fesser wrote: .oO(Mark)
proper, secure, and robust coding ALWAYS involves checking return values and errors:
$file = fopen(...); if ($file === NULL) { header("Locatio n: showerror.php?e rrno=" . ERR_FOPEN_FAILE D); exit; }
Proper, secure and robust coding also uses an absolute URL in a Location header, as required by the HTTP RFC.
Micha
touche` :-)
i'll consider myself reprimanded!!
mark.
--
I am not an ANGRY man. Remove the rage from my email to reply.
Chung Leong wrote: <ro***********@ yahoo.co.uk> wrote in message news:11******** *************@z 14g2000cwz.goog legroups.com...
<snip> Once my code is stable and errors are hidden from the user,
emailing the errors to myself sounds like a good idea.
Until you're bombarded by e-mails triggered by various PHP exploit
scanners out there.
And so, one should send email alerts on daily or hourly basis by
parsing the error log via cron--but certainly not on error basis.
--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/
well, to address the original problem, no, mysql will not aburbtly spit
out your username and password, it MAY however spit out information
about bad querys. Error checking on mysql is somthing that every
website needs, along with good logging, and you have a flexible,
dynamic, fast site.
Hiding errors with @ is a good idea, but what it is used for is to
check for an error, then display your own custom error message..
if you get an error on
mysql_connect() ;
and you have no error checking at all, the mysql/php error checking
will tell you what went wrong by itself, but if you have error
checking, then you can pick what to say, if anything at all.
a good way of doing this is somthing like
if(!@mysql_conn ect($user,$pass ,$host)){
//print error here, log it, do w/e
echo "Could not connect to database";
}
And for advanced error checking you can accutally create your own error
handler, or you can just disable error warnings/messages completely..
but thats not a good idea seeing as you never know what could go wrong.
Just find a way to create a library that you can use for all your
mysql/database functions, and then make sure they have proper error
checking. This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: lester |
last post by:
a pre-beginner's question:
what is the pros and cons of .net, compared to ++
I am wondering what can I get if I continue to learn C# after I have learned
C --> C++ --> C# ??
I think there must be many know the answer here.
thanks
|
by: Alex |
last post by:
Hello
I am interested learn more about .NET but am uncertain of exactly what niche
it fills in the world of programming. (The more I read the more I am
confused).
What I am looking for is the ability ot write programs to work on mobile
phones, as well as web pages, and to interact with servers.
My background is a basic knowledge of VBA, XHTML and Java. Java can
|
by: Jeff Amiel |
last post by:
Yes, I've read the FAQ's...
I'm still confused.
I'm trying to help out a buddy to extract data from an .mdb file that
has special 'permissions' on it.
If I try to open it with the standard system.mdw file, I get the
"Current user account doesn't have permission to covert or enable this
database".
|
by: Blaze |
last post by:
I am doing the first walk through on the Visual Studio .Net walkthrough book
to learn a little about programming. I am having issues with the first
tutorial not running correctly. It seems that the build fails with what the
book tells me to do.
Specifically, I am doing this:
public authors1 GetAuthors()
{
authors1 authors = new Authors1();
|
by: Lauren Wilson |
last post by:
The more I look at the issue of digital certification for our Access
app, the more confused I get. The SelfCert feature that allegedly
installed with Office 2003 does not work. The entry is on my menu but
is marked "invalid". I've tried re-installing it several times to no
avail.
In any case, Self Certification won't cut it for us. I MUST get the
security warnings to go away -- permanently! My understanding is that
full blown PAID...
| |
by: Neal |
last post by:
managed C++
VS 2003
I have a beginner question about windows forms....
I need to call a function when a certain limit has been reached, now with
the way VS sets up the .NET windows Form I get confused. When I was using
Directx everything was being run from a while loop, so that was no problem
for me in seeing where to place conditional statements and other functions.
With windows forms do I need to have an event and eventhandler? it...
|
by: sstallman |
last post by:
I have been tasked with creating a database in Access for a Mortgage
Lending office. My boss wants a database that can be placed on the
office server. He wants all of the lending officers to be able to
access the database from their computers. He wants them to be able to
pull up a form containing all of the fields that are currently
available on the "log sheet." They have given me a list of fields.
They want the fields broken down into...
|
by: Ranginald |
last post by:
Sorry for the simple question but thanks in advance:
My goal is to create reusale code for a web app in C#.
I have written the code already as a windows app but here is where I am
confused:
To keep it really easy let's say this is the code:
function addition(int, int);
int X;
|
by: Johs |
last post by:
I am looking for a good C++ book for beginners. I have some experience
with C and a lot of experience with Java. I am currently reading Bjarne
Stroustrups C++ Programming Language but it starts off rather complex
without examples of compiling modules or making and using classes.
Is there some C++ books that takes you through the whole process of
making modules, compiling them and using classes?
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
| |
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth.
The Art of Business Website Design
Your website is...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |