Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:105900 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 71163 invoked from network); 13 Jun 2019 16:17:09 -0000 Received: from unknown (HELO mail-io1-f54.google.com) (209.85.166.54) by pb1.pair.com with SMTP; 13 Jun 2019 16:17:09 -0000 Received: by mail-io1-f54.google.com with SMTP id k20so16838195ios.10 for ; Thu, 13 Jun 2019 06:30:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hortensius.net; s=ga; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=ZWdEuw3D6dSoy3N4Eu3JiOC4CnoXr7cMngSvHSDXjCQ=; b=jsPyo2HlEMxoYcChiqC+1wacFrN5JSQVS17OUgjgcp6WBj+2ZhupbhskdpTjIWYTd1 0MCQiHsSDBvernJQZelMWAzz2CSsCpWpHyTq5xJu9WjS3lPicKMd4evOE0l2Um2occNP +0s+m8XPTVuPjAr7h71ZscxTWGmfcGaWfIyQw= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=ZWdEuw3D6dSoy3N4Eu3JiOC4CnoXr7cMngSvHSDXjCQ=; b=QJXnUV+KUpuZW2uOE+A01CwVLgqcUELOj2mxhLo7werUeAUUtom8Lzt/PgyEPHDxXf RN63ONVxtOizusYgW/vwzTHO/7cYPYAPmqh8ydvTk+vKMto47kznsnSn+a2pLPET0+MB vNYMy0DgbGo2ZjfOoZrob7DohRbglfbuA1eDpvyD1YU1loP8s12lMVnNDi/Ig8URZ+ek QOCF1Ebei0FxDBJoKuxmZmDSr9k4iSu5U+OnylWekd53FvD/6JHJJNV6sgbaadBPibIh ZkEUaz0/24jrAh8TU6Fr0WSAzIhkZqtG1Ku/d3iiQe8JAnigVWnkq5kIgSPt85HxEjWV vo6g== X-Gm-Message-State: APjAAAXoyd4mh4XpR3SGDjkiTtJXu6gVVpGpmMeqHlct2izhkNRyQYTr bEpaEAO9gZ4ZrUD+nY8ieNHy15LRfSJBB627n3ShfwXVrnk= X-Google-Smtp-Source: APXvYqw/ZPz0sTGpOi1etYgtdzeG5ry6RSNNtpyvucSpX6fpKBXMsyPUY/lejVhyfCJw8QUingJJ8u2rXsE2JkJnz90= X-Received: by 2002:a02:9143:: with SMTP id b3mr34200670jag.12.1560432617986; Thu, 13 Jun 2019 06:30:17 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Date: Thu, 13 Jun 2019 15:30:06 +0200 Message-ID: To: PHP internals Content-Type: multipart/alternative; boundary="000000000000e438c6058b34875a" Subject: Re: [PHP-DEV] The real world ... From: sjon@hortensius.net (Sjon Hortensius) --000000000000e438c6058b34875a Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable FWIW - hiding database passwords (when using PDO) would be possible when https://github.com/php/php-src/pull/2684 gets included Cheers, Sjon On Thu, Jun 13, 2019 at 9:56 AM Andreas Heigl wrote: > Hey All > > Am 13.06.19 um 09:41 schrieb Nikita Popov: > > On Thu, Jun 13, 2019 at 9:35 AM Lester Caine wrote: > > > >> Seen in the wild ... company name sanitised > >> > >> Warning: mysqli::mysqli(): (HY000/2002): No such file or directory in > >> /home/888/public_html/system/library/db/mysqli.php on line 7 > >> > >> Fatal error: Uncaught exception 'Exception' with message 'Error:
>> />Error No: ' in /home/888/public_html/system/library/db/mysqli.php:10 > >> Stack trace: #0 > >> /home/888/public_html/system/nitro/core/nitro_db.php(29): > >> DB\MySQLi->__construct('localhost', '888_4y65f5...', > >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #1 > >> /home/888/public_html/system/nitro/core/nitro_db.php(13): > >> NitroDb->__construct('mysqli', 'localhost', '888_4y65f5...', > >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #2 > >> > /home/888/public_html/system/storage/modification/system/library/db.php(1= 1): > >> > >> NitroDb::getInstanceWithParams('mysqli', 'localhost', '888_4y65f5...', > >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #3 > >> /home/888/public_html/system/framework.php(36): > >> DB->__construct('mysqli', 'localhost', '888_4y65f5...', > >> 'J?vJr+j5iCju-bo...', '888_4y65f5...', '3306') #4 > >> /home/888/public_html/vqmod/vqcache/vq2-system_startup.php(124): > >> require_once('/home/888 in > >> /home/888/public_html/system/library/db/mysqli.php on line 10 > >> =E4=BD=A0=E7=9A=84=E4=BB=A3=E7=A0=81=E5=87=BA=E9=94=99=E4=BA=86=EF=BC= =9A > >> > >> I presume something has been updated that they have not been aware of > >> since it's library file that triggered the warning ... but it's not th= e > >> first time in recent years I've seen this sort of information on > >> commercial sites and while my own clients just get white screens, thos= e > >> are created by the likes of Wordpress when 'automatic updates' happen. > >> > >> Many years ago the response was "well don't update", but 'current > >> practice' takes that out of OUR hands! So isn't it time that the > >> triggering exceptions like this did produce a more user secure respons= e > >> to protect against leaks like this and provide a better alternative th= an > >> a white screen? > >> > >> In the case of this live site, I actually placed an order as it was on= ly > >> some links that triggered the fault, which may explain why they were n= ot > >> even aware there was a problem :( From the 'development' side, NitroDb= -> > >> should obviously be handling the problem anyway. > >> > > > > display_errors=3DOff in production. > > > > While that makes absolute sense perhaps thinking whether there is a way > to mark password-parameters in core-functions and hide them in > Stack-traces might improve security as that would also hide > user-provided credentials in log-files. > That would not target userland methods/functions. Though having a > Core-Value-object for credentials might even allow *that* > > Just my 0.02 =E2=82=AC > > Cheers > > Andreas > -- > ,,, > (o o) > +---------------------------------------------------------ooO-(_)-Ooo-+ > | Andreas Heigl | > | mailto:andreas@heigl.org N 50=C2=B022'59.5" E 08=C2=B0= 23'58" | > | http://andreas.heigl.org http://hei.gl/wiFKy7 | > +---------------------------------------------------------------------+ > | http://hei.gl/root-ca | > +---------------------------------------------------------------------+ > > --000000000000e438c6058b34875a--