From: imbeware at yahoo dot com Operating system: Any PHP version: Irrelevant Package: PDO related Bug Type: Feature/Change Request Bug description:Password should be concealed on connection error
Description: ------------ As defined in the Warning note on http://php.net/manual/en/pdo.connections.php connection errors from the PDO constructor if not caught will reveal the database password. Why I think this is a problem? Consider if you have an offshore team of programmers where the password should not be known to "junior" programmers. This poses a security leak if a connection error occurs while on development mode. Also take in to consideration the novice programmers who are not aware of turning off errors during production or using try/catch. Test script: --------------- $dbh = new PDO('mysql:host=localhost;dbname=wrongdbname', 'user', 'pass'); Expected result: ---------------- if the code produces a connection error, the username and password of the database will be revealed Actual result: -------------- Upon error the following message appears with the username and password Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000] [1049] Unknown database 'wrongdbname' in D:\htdocs\index.php:1 Stack trace: #0 D:\htdocs\index.php(16): PDO->__construct('mysql:host=loca...', 'user', 'pass') -- Edit bug report at https://bugs.php.net/bug.php?id=62184&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=62184&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=62184&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=62184&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=62184&r=fixed Fixed in SVN and need be documented: https://bugs.php.net/fix.php?id=62184&r=needdocs Fixed in release: https://bugs.php.net/fix.php?id=62184&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=62184&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=62184&r=needscript Try newer version: https://bugs.php.net/fix.php?id=62184&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=62184&r=support Expected behavior: https://bugs.php.net/fix.php?id=62184&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=62184&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=62184&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=62184&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=62184&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=62184&r=dst IIS Stability: https://bugs.php.net/fix.php?id=62184&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=62184&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=62184&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=62184&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=62184&r=mysqlcfg
