otuatail Posted April 13, 2010 Share Posted April 13, 2010 Hi I have lots of 'or die' functions returning helpfull error codes enabling me to find the function that was responsible like. $row = mysql_num_rows($query) or die ("E1101"); // This works The problem is the previuse function connectDB(1); this connects to database 1 with $link = mysql_connect($host, $user, $pass) or die("E2020"); However this does not work. It does not give me 'E2020' Instead it still gives a hacker a lot of information like. Warning: mysql_connect() [function.mysql-connect]: Access denied for user: 'desmond@222.171.218.190' (Using password: YES) in /home/fhlinux190/d/des-otoole.co.uk/user/htdocs/HC2010/includes/HCfunctions.php on line 77 WHY Using password: YES I changed the password to a false one to test this but the password was not YES. I realy need to trap this properly without giveing a hacker all my database information. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 13, 2010 Share Posted April 13, 2010 Turn off display_errors and then implement some real error handling once you've done that. By the way, you do realize that you've just publicly published the information you're trying to hide, right? Quote Link to comment Share on other sites More sharing options...
otuatail Posted April 13, 2010 Author Share Posted April 13, 2010 Actualy I havent published any information. I changed it befote posting. I don't want to turn off errors. I want to do things like $row = mysql_num_rows($query) or die ("E1101"); This does not help the hacker but does help me discover which one of a thousand functions is responsible for the error. So no disable error. What I would like is for mysql_connect() to report a user specific error. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 13, 2010 Share Posted April 13, 2010 You aren't developing on the live site right? Get a development site or develop on your local computer. That will allow you to display errors when developing, but hide them in production. Your error handling still sucks though. Have you ever seen any serious website just display a blank page with "E2020" on it when an error occurs? Quote Link to comment Share on other sites More sharing options...
Mchl Posted April 13, 2010 Share Posted April 13, 2010 WHY Using password: YES That's MySQL way of telling that password was used for login attempt (as opposed to logging in with no password - Using password: NO). MySQL will never actually show your MySQL user's password. Quote Link to comment Share on other sites More sharing options...
otuatail Posted April 13, 2010 Author Share Posted April 13, 2010 My error handeling might apear to suck but if invalid information is entered I need some way of knowing what is going on. These errors whould hardly appear. I intend to redirect to a webpage with more usefull information. However the php online manual says <?php $link = mysql_connect('localhost', 'mysql_user', 'mysql_password'); if (!$link) { die('Could not connect: ' . mysql_error()); } echo 'Connected successfully'; mysql_close($link); ?> This does not work. I have tried the following. $link = mysql_connect($host, $user, $pass); if (!$link) { die('Could not connect:'); exit; } Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted April 13, 2010 Share Posted April 13, 2010 I would not do it like that, unless you want to echo something which you shouldnt unless it says "sorry etc etc", logging should be done server side, here is a simple way i used to do it: function sql_check(){ if(!empty(mysql_error())){ // Do Logging Here (file or whatever). // DEVELOPMENT: exit(mysql_error()); } } $connect = @mysql_connect($host,$user,$pass); sql_check(); $query = "SELECT ..."; $result = @mysql_query($query); sql_check(); This is a real simple way to do it, but it works. @ is used for production code (released code), so no errors are sent to the client. -CB- Quote Link to comment Share on other sites More sharing options...
Mchl Posted April 13, 2010 Share Posted April 13, 2010 @ is used for production code (released code), so no errors are sent to the client. Or to a developer if he tries to debug... error logging, error reporting level, and error displaying can all be set up using php.ini directives (or even during runtime). You can have a 'config' file for development environment and another for production development that will set up these variables accordingly. Instead of exit()ing or die()ing, wrap your code in try{}catch blocks and use Exceptions. You can even override default error handler to throw exceptions for pretty much everything except syntax and fatal errors. Quote Link to comment Share on other sites More sharing options...
Pikachu2000 Posted April 13, 2010 Share Posted April 13, 2010 If it's returning anything other than E2020, it's probably another statement triggering the error. The or die() won't just arbitrarily decide to echo the mysql_error() when it's given some other error message. Throw a trigger_error() around it and see if it shows up in the php error log. Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted April 13, 2010 Share Posted April 13, 2010 Yes it hides the error output full stop. You should never assume ini directives to be a specific value OR that they can be changed or your script will not work on half the most common web hosting servers. And i purposely excluded stating the Try/Catch method with exceptions as this is a step down from Pear Error Handling (Which is more robust), so it would be pointless to satte, and the fact that this person is new so its best to stick to easy methods of his solutions, and let him advance his work instead of spending days on one functionality or giving up altogether. For future advice, make sure you complete this script (so you get some experience in php), then you can learn more advanced techniques for more advanced scripts. Which you will need experience for regardless. -CB- Quote Link to comment Share on other sites More sharing options...
Mchl Posted April 13, 2010 Share Posted April 13, 2010 You should never assume ini directives to be a specific value OR that they can be changed or your script will not work on half the most common web hosting servers. This is all true of course, however all settings related to error handling can be (and ideally should be) set up at runtime http://pl.php.net/manual/en/ref.errorfunc.php Quote Link to comment Share on other sites More sharing options...
ChemicalBliss Posted April 13, 2010 Share Posted April 13, 2010 Totally agree mchl, all error handling should be set in stone before anything else, that way more of the script execution is covered by the error handling and there is less execution not covered. Basically put, Make sure you know where your errors are . -CB- Quote Link to comment Share on other sites More sharing options...
otuatail Posted April 13, 2010 Author Share Posted April 13, 2010 Hi I am familier with try catch etc but not triger error. I have no access to the server ini file. Can someone show me a foolproof method using any of the following lines please where there is a wrong user or password etc.. $link = mysql_connect($host, $user, $pass); $database = @mysql_select_db ($data, $link); Quote Link to comment Share on other sites More sharing options...
otuatail Posted April 13, 2010 Author Share Posted April 13, 2010 Thanks Mchl this http://pl.php.net/manual/en/ref.errorfunc.php is very usefull. I could make a dedicated error page with this. I still need to know how to trap the $link = mysql_connect($host, $user, $pass); $database = @mysql_select_db ($data, $link); Desmond. Quote Link to comment Share on other sites More sharing options...
Daniel0 Posted April 13, 2010 Share Posted April 13, 2010 Use set_error_handler to catch the errors. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.