Sensitive information may be displayed to user even if DEBUG is set to 0, display_errors = Off in php.ini

bcosca / fatfree

A powerful yet easy-to-use PHP micro-framework designed to help you build dynamic and robust Web applications - fast!

2.66k stars 446 forks source link

Sensitive information may be displayed to user even if DEBUG is set to 0, display_errors = Off in php.ini #1129

Closed ladislavmoravek closed 5 years ago

ladislavmoravek commented 6 years ago

https://github.com/bcosca/fatfree/blob/e2a3bdbb6e2a0cee837cd8d480ef1ec8e49c931a/lib/base.php#L1283

In case of PDO error you may see something like this: SQLSTATE[08006] [7] FATAL: password authentication failed for user "testUser" [/var/www/vendor/bcosca/fatfree-core/db/sql.php:523]

It also seems to ignore the display_errors = Off inside php.ini

WilliamStam commented 5 years ago

define your own onerror function for it.

$f3->set('ONERROR', function() use ($f3) {
        $error = $f3->get('ERROR');

});

after that you can pretty much display whatever you like on the screen

ikkez commented 5 years ago

This is triggered by the default error handler. If you wish to change that, create the PDO connection with exception mode and fetch that exception, or create a custom error handler as William suggested.