PDO Error Check

[LeonLatex]

I have developed this database connection. I took a little from here and a little from there. I began to study it more closely.  As I understand this, if this fails, it will release a lot of information to website visitors, such as passwords etc. Actually, the user does not need a lot of error codes if the connection to the DB is not successful. I am the one who needs that information. So how do I keep the print-to-screen information, but without the user on the website getting this information? I'm the only one who needs that information. Heres the script:

<?php
try {
    $pdo = new PDO('mysql:host=sql31.mcb.webhuset.no;dbname=**********;
    charset=utf8', '**********', '********');
    
    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    
    $output = 'No ERROR.';
    } catch (PDOException $e) {
    
    $output = 'ERROR: ' . $e;
    }
    include __DIR__ . '/../templates/output.html.php';
 

[mac_gyver]

the only database errors that are recoverable by the visitor on a site are when inserting/updating duplicate or out of range visitor submitted data. this is the only case where you should catch and handle a database statement exception, where you would test the error number in the catch logic, for things the visitor can correct, and setup a helpful message letting the visitor know exactly what was wrong with the data that they submitted. for all other error numbers, just rethrow the exception and let php catch and handle it. for all other cases, do not even put try/catch logic in your code.

when you let php catch and handle the database exceptions, php uses its error related settings to control what happen with the actual error information, via an uncaught exception error (database statement errors will 'automatically' get displayed/logged the same as php errors.)

so, by simply setting php's display_errors or log_errors settings (error_reporting should always be set to E_ALL), you can switch from displaying the raw database statement errors when learning, developing, and debugging, to logging the raw database statement errors on a live/public server.

BTW - when you make the connection, you should also set emulated prepared queries to false, you want to run true prepared queries, and set the default fetch mode to assoc, so that you don't need to specify it in each fetch statement.

Edited August 8, 2022 by mac_gyver

[LeonLatex]

Do you mean like this?

 catch (PDOException $e_all) {
    
    $output = 'ERROR: ' . $e_all;

[mac_gyver]

no that's not the error number i wrote about (whatever you are using to translate replies into your native language is not working.) that's the raw error message that you DON'T want to output to visitors/hackers since it won't mean anything to a visitor and it is exactly what a hacker wants to see when they intentionally do things that trigger errors.

the error number is in the caught exception property ->errorInfo[1]. the specific number for a duplicate index error is 1062. note: there is also a ->getCode() method, which is the sqlstate error number. this however encompasses a number of different related errors, so is not specific to a duplicate index error that you want to setup a message for to let the visitor know what was wrong with the data value that they submitted.

[LeonLatex]

44 minutes ago, mac_gyver said:

no that's not the error number i wrote about (whatever you are using to translate replies into your native language is not working.) that's the raw error message that you DON'T want to output to visitors/hackers since it won't mean anything to a visitor and it is exactly what a hacker wants to see when they intentionally do things that trigger errors.

That's excactly what i mean, and I dont want to do that. Error information is only useful for me.

the error number is in the caught exception property ->errorInfo[1]. the specific number for a duplicate index error is 1062. note: there is also a ->getCode() method, which is the sqlstate error number. this however encompasses a number of different related errors, so is not specific to a duplicate index error that you want to setup a message for to let the visitor know what was wrong with the data value that they submitted.

I tried different solution, but nothing was working. I have to look at this when i wake up later today. I have been up all night and need to go to sleep.

 

[Barand]

5 hours ago, mac_gyver said:

so, by simply setting php's display_errors or log_errors settings (error_reporting should always be set to E_ALL), you can switch from displaying the raw database statement errors when learning, developing, and debugging, to logging the raw database statement errors on a live/public server.

->

+-----------------------+---------------+--------------+
|  php.ini file setting |  development  |  production  |
|                       |    server     |    server    |
+-----------------------+---------------+--------------+
|  error_reporting      |    E_ALL      |    E_ALL     |       
|  display_errors       |    ON         |    OFF       |
|  log_errors           |    OFF        |    ON        |
+-----------------------+---------------+--------------+

 

[LeonLatex]

2 hours ago, Barand said:

->

+-----------------------+---------------+--------------+
|  php.ini file setting |  development  |  production  |
|                       |    server     |    server    |
+-----------------------+---------------+--------------+
|  error_reporting      |    E_ALL      |    E_ALL     |       
|  display_errors       |    ON         |    OFF       |
|  log_errors           |    OFF        |    ON        |
+-----------------------+---------------+--------------+

 

 

On the develop server (my local server) everything is set as you suggest Barand. On the production server (at webhuset) there is one difference. Error reporting is "E-all and E-notice". 

Is that OK or should it say only E-all?

Display errors is set to off as you tell me it should.
Log errors is set to on.

 

[Barand]

38 minutes ago, LeonLatex said:

Error reporting is "E-all and E-notice". Is that OK or should it say only E-all?

Change it.

E_ALL and E_NOTICE = E_NOTICE

| E_ALL                |    111111111111111 |
| E_NOTICE             |               1000 |
| E_ALL & E_NOTICE     |               1000 |

If you want to switch off notices you need E_ALL and not E_NOTICE

| E_ALL &~ E_NOTICE    |    111111111110111 |

(By the time you get to production any e_notices should've been eliminated)

[mac_gyver]

you should never disable any php error reporting level. you will end up missing things that legitimate visitors manage to do that you didn't take into account in your code and discover during testing and things that hackers do in an attempt (that fails or succeeds) to break in. you want to know when these things are occurring so that you can take appropriate action.

[LeonLatex]

Sorry, Barand. Just had to ask since there was an option no one mentioned. I changed it to E_ALL

[LeonLatex]

3 hours ago, Barand said:

(By the time you get to production any e_notices should've been eliminated)

 

Of course 🤓👍👌