Open dhofstetter opened 9 years ago
This is not an issue of this project but an issue of PDO: http://security.stackexchange.com/questions/15452/should-passwords-be-revealed-in-error-message
You can avoid this by wrapping the PDO construction in a try/catch.
I agree, however, that it should possibly be included in the example files as such.
When we have the case that for some circumstances the database is not available and so the connection is not available then there is the PDOException, which is quite ok so far. But not handling this exception somewhere and fire a new one is quite bad. The reason is that the current way makes your username and password available to everyone who can at least see the php error output if enabled.
As you can see here the constructor arguments to OAuth2/Storage/Pdo are shown as string. It would be better not to rely on disabled php error outputs, as this might not be the case everywhere, and a database cannot be available everytime. Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY000] [2002] Connection refused' in /home/.sites/65/site9693764/web/portal/vendor/bshaffer/oauth2-server-php/src/OAuth2/Storage/Pdo.php:53 Stack trace: #0 /home/.sites/65/site9693764/web/portal/vendor/bshaffer/oauth2-server-php/src/OAuth2/Storage/Pdo.php(53): PDO->construct('mysql:host=127....', 'dev', 'dev', Array) #1 /home/.sites/65/site9693764/web/portal/vendor/zfcampus/zf-oauth2/src/Adapter/PdoAdapter.php(89): OAuth2\Storage\Pdo->construct(Array, Array) #2 /home/.sites/65/site9693764/web/portal/vendor/zfcampus/zf-oauth2/src/Factory/PdoAdapterFactory.php(45): ZF\OAuth2\Adapter\PdoAdapter->__construct(Array, Array) #3 [internal function]: ZF\OAuth2\Factory\PdoAdapterFactory->createService(Object(Zend\ServiceManager\ServiceManager), 'zfoauth2adapter...', 'ZF\OAuth2\Adapt...') #4 /home/.sites/65/site9693764/web/portal/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php(902): call_user_func(Array, Object(Zend\ServiceM in /home/.sites/65/site9693764/web/portal/vendor/zendframework/zendframework/library/Zend/ServiceManager/ServiceManager.php on line 909
Don't know if this is an issue of interest but I think so